DEV Community: Dipali Kulshrestha

IAM Fundamentals

Dipali Kulshrestha — Mon, 19 Jan 2026 05:23:56 +0000

3. IAM Fundamentals (Core Concepts)

IAM Components
Component Purpose
User Human or application identity
Group Collection of users
Role Assumed identity with temporary credentials
Policy Permissions document (JSON)

Authentication vs Authorization

Authentication: Who are you?
Authorization: What are you allowed to do?

4. IAM Policies – Deep Dive

Policy Types

AWS Managed Policies
Customer Managed Policies
Inline Policies

Policy Structure (JSON)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "*"
}
]
}

Key Elements Explained

Effect: Allow / Deny

Action: API calls

Resource: ARN

Condition (advanced, optional)

Tip: Explicit Deny always wins.

5. IAM Best Practices

Security Best Practices

Least privilege
Use roles instead of long-term credentials
Enable MFA
Rotate credentials
Use managed policies where possible

What NOT to Do

❌ Hardcode access keys in code
❌ Use IAM users for EC2/Lambda
❌ Share credentials

6. IAM Roles

What is an IAM Role?

An identity assumed temporarily
Uses STS (Security Token Service)
No permanent credentials

Common Role Use Cases

EC2 accessing S3
Lambda accessing DynamoDB
Cross-account access
CI/CD pipelines

Trust Policy vs Permission Policy

Trust policy: Who can assume the role

Permission policy: What the role can do

Hands-On Labs (Step-by-Step)

Lab: Create IAM Users and Groups

Objective

Create a developer IAM user with controlled permissions.

Steps

Login as root / admin
Open IAM Console
Create Group: Developers
Attach policy: AmazonS3ReadOnlyAccess
Create IAM User with Access type: Console + Programmatic
Add user to Developers group
Enable MFA for the user
Test login

Validation

User can list S3 buckets
User cannot create EC2 instances

Lab: Create and Test IAM Role for EC2

Objective

Allow EC2 instance to access S3 without access keys.

Steps

Create IAM Role
Trusted entity: EC2
Attach policy: AmazonS3ReadOnlyAccess
Launch EC2 instance
Attach role during launch
SSH into EC2
Run: aws s3 ls

Expected Result
S3 list works without configuring credentials

Detailed steps

9. Common Developer IAM Scenarios

Lambda → DynamoDB

ECS task → SQS

CI/CD pipeline → CloudFormation

Cross-account role for deployment

Tie these back to roles, not users.

Next: Database
Next: Serverless

Next

Dipali Kulshrestha

Jan 17

Messaging & Event Driven design

#architecture #backend #microservices #systemdesign

Comments 1

2 min read

CI/CD for AWS Applications

Dipali Kulshrestha — Sat, 17 Jan 2026 18:33:13 +0000

Continuous Integration and Continuous Deployment (CI/CD) enable developers to automate build, test, and deployment workflows. AWS provides fully managed CI/CD services that integrate natively with application and infrastructure services.

Key Concepts

Why CI/CD?

Faster and reliable deployments
Reduced human error
Repeatable, auditable release process
Enables DevOps and agile delivery

AWS CI/CD Services

AWS CodeCommit

Managed Git-based source control
Integrates with IAM for authentication
Alternative: GitHub / Bitbucket

AWS CodeBuild

Fully managed build service
Uses buildspec.yml
Supports multiple runtimes (Java, Python, Node.js)

AWS CodePipeline

Orchestrates CI/CD stages
Integrates with CodeCommit, CodeBuild, Lambda, CloudFormation
Event-driven pipeline execution

AWS CodeDeploy

Automates deployments to EC2, Lambda, and ECS
Supports blue/green and rolling deployments

Lab: Create CICD pipeline to deploy serverless S3 hosted webpage

Step-1: Create Pipeline => Build Custom Pipeline
Step-2: Source provider => GitHub (Via GitHub App)
Step-3: Connect to GitHub and choose connection => select repository ==> Select Branch (main)
Step-4: Skip Build Stage
Step-5: Skip Test Stage
Step-6: Deploy => S3 => Choose Bucket => Check: Extract file before deploy
Step-7: Create Pipeline

Validate

Deploy complete on Code Pipepile UI
Change and commit index.html on GitHub
Notice auto-trigger of CodePipeline
Revised webpage now avaialble

Next

Dipali Kulshrestha

Jan 14

AI Services for Developers

#ai #aws #tutorial

Comments

2 min read

Messaging & Event Driven design

Dipali Kulshrestha — Sat, 17 Jan 2026 15:20:23 +0000

Event-driven architecture (EDA) is a modern architecture pattern built from small, decoupled services that publish, consume, or route events.

An event represents a change in state, or an update. For example: an item placed in a shopping cart, a file uploaded to a storage system, or an order becoming ready to ship. Events can either carry the state (such as the item name, price, or quantity in an order) or simply contain identifiers (for example, “order #8942 was shipped”) needed to look up related information.

Unlike traditional request-driven models, EDA promotes loose coupling between producer and consumer services. This makes it easier to scale, update, and independently deploy separate components of a system.

AWS Messaging Services

Amazon SQS (Simple Queue Service)

Fully managed message queue
Used for decoupling application components

Two types:

Standard Queue: At-least-once delivery, best-effort ordering
FIFO Queue: Exactly-once processing, strict ordering

Amazon SNS (Simple Notification Service)

Pub/Sub messaging service
One message → multiple subscribers

Common subscribers:

SQS
Lambda
Email / HTTP endpoints

SNS vs SQS

SNS pushes messages
SQS polls messages
SNS fan-out pattern uses SNS → multiple SQS queues

Amazon EventBridge

Amazon EventBridge is a serverless event bus that facilitates event-driven architectures. It simplifies the process of connecting different services and applications by enabling them to communicate through events. EventBridge routes events from sources such as AWS services, custom applications, and third-party software, delivering them to targets like AWS Lambda, Amazon SNS, Amazon SQS, and more.

EventBridge plays a crucial role in building de-coupled systems, where different components communicate through events. This approach enhances scalability, flexibility, and resilience, as each system component operates independently and reacts to events in real-time.

When to Use What

SQS: Asynchronous processing, buffering

SNS: Fan-out notifications

EventBridge: Event routing across services

LAB 7: Messaging with Amazon SQS

Task: Implement loosely coupled architectures using messaging services

Objective

Decouple application components using SQS
Process messages asynchronously using Lambda
Configure DLQ for failure handling

Architecture

Producer (Lambda / CLI)
Amazon SQS
Consumer (Lambda)
Dead Letter Queue

Steps
Step 1: Create SQS Queue

Navigate to SQS → Create queue

Type: Standard

Visibility timeout: 60 seconds

Create queue

Step 2: Create Dead Letter Queue

Create another SQS queue

Name: order-processing-dlq

Configure DLQ on main queue

Step 3: Create Lambda Consumer

Navigate to Lambda → Create function

Runtime: Python 3.12

Add SQS trigger

Use sample code:

def lambda_handler(event, context):
    for record in event['Records']:
        print(record['body'])

Step 4: Send Message to Queue

aws sqs send-message \
--queue-url "" \
--message-body "Order123"

Validation

Message processed by Lambda

Failed messages move to DLQ

Next

Dipali Kulshrestha

Jan 17

CI/CD for AWS Applications

#automation #aws #cicd #devops

Comments 1

1 min read

AI Services for Developers

Dipali Kulshrestha — Wed, 14 Jan 2026 11:32:10 +0000

Module Objectives

By the end of this module, learners will be able to:

Understand the AWS AI/ML service landscape
Choose between pre-trained AI services vs custom ML
Integrate AI services into applications using SDKs & APIs
Secure AI services using IAM roles
Build event-driven AI workflows
Get introduced to Generative AI on AWS (Bedrock)

AWS AI Services Landscape (Big Picture)

Three Layers of AI on AWS

Applications
│
├── AI Services (Pre-trained)
│ Rekognition, Comprehend, Textract, Transcribe, Polly
│
├── ML Platforms
│ SageMaker AI
│
└── GenAI
Amazon Bedrock

When to Use What
Requirement ===> Best Choice
No ML expertise ===> AI Services
Custom ML models===> SageMaker
GenAI / LLMs ===> Bedrock

2. Pre-Trained AWS AI Services (Core Focus)

These services require NO model training.

3. Amazon Rekognition (Image & Video AI)

What It Does

Image and video analysis
Face detection
Label detection
Content moderation

Common Use Cases

Fraud detection
Identity verification
Content moderation
Developer Integration
API-based
SDK supported

4. Amazon Comprehend (NLP)

What It Does

Sentiment analysis
Key phrase extraction
Entity recognition
PII detection

Use Cases

Customer feedback analysis
Compliance checks
Document classification
Supported Input
Plain text
UTF-8 encoded documents

5. Amazon Textract (Document AI)

What It Does

OCR (text extraction)
Forms and tables
Structured document parsing

Use Cases

**Invoice processing

KYC onboarding

Financial documents**

6. Speech & Language AI

Amazon Transcribe

Speech-to-text
Call center analytics
Supports batch & streaming

Amazon Polly

Text-to-speech
Multiple voices & languages

Common Pattern

S3 → AI Service → Output to S3 / DB

7. Hands-On Lab 1: Text Analysis with Amazon Comprehend
Objective

Analyze sentiment using Comprehend.

Steps

Create IAM role with:

ComprehendReadOnly

Input sample text

Use AWS SDK (Python):

import boto3

client = boto3.client('comprehend')

response = client.detect_sentiment(
    Text="AWS AI services are powerful and easy to use",
    LanguageCode='en'
)

print(response['Sentiment'])

Validation

Sentiment output returned

10. Cost Considerations

Service ===> Pricing Model
Rekognition ===> Per image / minute
Comprehend ===> Per text unit
Textract ===> Per page
Transcribe ===> Per second
Polly ===> Per million characters

11. Intro to Amazon SageMaker AI

What SageMaker Is

End-to-end ML platform
Training, tuning, hosting

When Developers Should Use It

Need custom ML models
Data science involvement
Model lifecycle management

12. Introduction to Generative AI on AWS

Amazon Bedrock

Fully managed GenAI service
Access to foundation models
No infrastructure management

Common Use Cases

Chatbots
Code assistants
Document summarization

13. Hands-On Lab: Bedrock Text Generation

Objective

Generate text using Bedrock.

Steps (High-Level)

Enable Bedrock access
Assign IAM role
Call model using SDK
Capture output

Bedrock text generation via SDK

import boto3
import json

bedrock = boto3.client(
    service_name = 'bedrock-runtime',
    region_name = 'us-east-1'
    )

input = {
  "modelId": "cohere.command-text-v14",
  "contentType": "application/json",
  "accept": "*/*",
  "body": "{\"prompt\":\"Please write a four liner poem on machine learning.\",\"max_tokens\":400,\"temperature\":0.75,\"p\":0.01,\"k\":0,\"stop_sequences\":[],\"return_likelihoods\":\"NONE\"}"
}

response = bedrock.invoke_model(body=input["body"],
                                    modelId=input["modelId"],
                                    accept=input["accept"],
                                    contentType=input["contentType"])

response_body = json.loads(response['body'].read())

print(response_body)

Storage for Developers

Dipali Kulshrestha — Sat, 10 Jan 2026 11:42:51 +0000

Module Objectives

By the end of this module, learners will be able to:

Understand AWS storage services from a developer perspective
Select the right storage option for different application patterns
Use Amazon S3 programmatically and securely
Configure EBS and EFS for compute workloads
Apply IAM permissions and encryption
Handle durability, availability, and cost

1. Overview of AWS Storage Options

Why Multiple Storage Services?

Different applications need:

Object vs file vs block storage
High durability vs low latency
Shared vs single-instance access

Storage Type ==> Service
Object ==> Amazon S3
Block ==> Amazon EBS
File ==> Amazon EFS
Hybrid / Transfer. ==> DataSync, Storage Gateway

2. Amazon S3 (Simple Storage Service)

What is Amazon S3?

Object storage
Virtually unlimited scale
11 9’s durability

Core S3 Concepts

Bucket
Object
Key
Region-scoped buckets
Global namespace

S3 Storage Classes
Class ==> Use Case
Standard. ==> Frequent access
IA ==> Infrequent access
One Zone-IA. ==> Non-critical data
Glacier Instant ==> Archive, quick access
Glacier Flexible. ==> Archive
Glacier Deep Archive. ==>. Lowest cost

🔑 Storage class affects cost, not durability.

S3 Security & Access Control Access Mechanisms

IAM policies
Bucket policies
ACLs (legacy, discouraged)

Encryption Options

SSE-S3
SSE-KMS
Client-side encryption

Public Access

Block Public Access (default ON)
Bucket policy controls

4. Hands-On Lab: S3 for Developers

Objective
download files from S3 using SDK

import boto3

s3 = boto3.client("s3")

bucket_name = "dev-2801"
object_key = "index1.html"

s3.download_file(
    Bucket=bucket_name,
    Key=object_key,
    Filename="index1.html"
)

print("File downloaded")

5. S3 for Application Patterns

Common Developer Use Cases

Static website hosting
Application artifacts
Logs and backups
Data lake

Event-Driven Patterns

S3 → Lambda trigger
S3 → EventBridge

6. Amazon EBS (Elastic Block Store)

What is EBS?

Block storage for EC2
Attached to one instance at a time
Key EBS Concepts
Volume
Snapshot
Availability Zone scoped

Use Cases

Databases on EC2
Boot volumes
Low-latency workloads

Hands-On Lab 2: EBS Volume with EC2 Objective

Attach and mount EBS volume to EC2.

learning-dipali.medium.com

8. Amazon EFS (Elastic File System)

What is EFS?

Managed NFS file system
Shared across multiple EC2 instances
Automatically scales

Key Characteristics

Multi-AZ
POSIX-compliant
Regional service

Use Cases

Shared application data
Content management systems
Microservices shared storage

🔑 EFS supports concurrent access from multiple EC2s.

learning-dipali.medium.com

9. Cost & Performance Considerations

Cost Drivers

Storage amount
Access frequency
Data transfer
API requests (S3)

Performance Factors

S3 prefix distribution
EBS volume type
EFS throughput mode

Next

Dipali Kulshrestha

Jan 19

IAM Fundamentals

#aws #beginners #security #tutorial

Comments

2 min read

3-Day Hands-On Training: Developing on AWS

Dipali Kulshrestha — Sat, 10 Jan 2026 11:30:46 +0000

Audience

Application Developers (Java / .NET / Node / Python)
Senior Engineers transitioning to AWS
Cloud-native & modernization teams

Pre-requisites

Basic programming experience
Basic understanding of web apps & REST APIs
Optional: AWS Cloud Practitioner–level awareness

Delivery Format

30% Concepts
70% Hands-on Labs
Each module → Concepts → Demo → Lab → Review

DAY 1 – Core AWS Development Foundations

Module 1: AWS Development Environment

Concepts

AWS Global Infrastructure (Regions, AZs)
Shared Responsibility Model (Developer focus)
AWS SDKs & CLI

Hands-On Lab

Configure AWS CLI & SDK
Access S3 using SDK (Java/Python)

Outcome
✔ Application access using Application codes
✔ No hard-coded credentials

Module 2: Compute Options for Developers

Concepts

EC2 vs Lambda vs Containers (when to use what)
Amazon EC2 fundamentals
Auto Scaling basics
Load Balancer overview (ALB)

Hands-On Lab

Deploy a simple web app on EC2
Configure Security Groups
Add ALB in front of EC2
Test scaling behavior

Outcome
✔ Choose correct compute for application workloads
✔ Deploy scalable compute layer

Module 3: Storage for Developers

Concepts

Amazon S3 (buckets, objects, lifecycle)
S3 security & encryption
EBS vs EFS vs S3 (developer view)

Hands-On Lab

Upload & retrieve objects from S3 using SDK
Enable versioning & lifecycle rules
Secure S3 with bucket policy

Outcome
✔ Integrate object storage in applications

Module 4: Introduction to IAM

IAM:
- Users, Roles, Policies
- IAM best practices for developers

Hands-On Lab

Create IAM role for application access
Use IAM policy simulator

DAY 2 – Data, Messaging & Application Integration

Module 5: Databases on AWS

Concepts

RDS vs DynamoDB vs Aurora
Choosing the right database
Connection management best practices
Secrets Manager

Hands-On Lab

Create RDS (MySQL/Postgres)
Connect application to RDS
Store DB credentials in Secrets Manager

Outcome
✔ Secure database connectivity
✔ Avoid hard-coded secrets

Module 6: NoSQL DB & High-Scale Applications

Concepts

DynamoDB architecture
Partition keys & indexes
Read/write capacity modes
DynamoDB Streams

Hands-On Lab

Create DynamoDB table
CRUD operations using SDK
Enable Streams

Outcome
✔ Build highly scalable data layer

Module 7: Introduction to Serverless Development

Concepts

AWS Lambda deep dive
Event-driven architecture
Lambda execution model & limits
API Gateway basics

Hands-On Lab

Build a Lambda function
Expose via API Gateway
Test using Postman
Enable logging with CloudWatch

Outcome
✔ Build & expose serverless APIs

Capstone Lab

Build a simple REST API using:

Lambda
API Gateway
S3 for data storage

Module 8: Messaging & Event-Driven Design

Concepts

SQS vs SNS vs EventBridge
Decoupled architectures
Retry & DLQ patterns

Hands-On Lab

Create SQS queue
Publish messages from Lambda
Process messages asynchronously
Configure DLQ

Outcome
✔ Build resilient, decoupled systems

DAY 3 – Networking & CI/CD for AWS Applications

Module 9: Networking concepts in AWS

Concepts

Overview of VPC
Components of VPC
IP Addressing
VPC Models

Module 10: AWS Well-Architected Framework

Concepts
6 Pillars overview
Developer responsibility per pillar
Common anti-patterns

Module 11: CI/CD for AWS Applications

Concepts

CI/CD on AWS
CodeCommit, CodeBuild, CodePipeline
Infrastructure as Code

Hands-On Lab

Create CI/CD pipeline
Build & deploy Lambda automatically
Version application releases

Outcome
✔ Automated build & deployment

Module 12: AWS AI Services

AI Services spectrum in AWS

Next

AWS Development Environment

Dipali Kulshrestha ・ Jan 10

#architecture #aws #security

Compute options for Developers

Dipali Kulshrestha — Sat, 10 Jan 2026 11:22:16 +0000

Module Objectives:

By the end of this module, learners will be able to:

Compare AWS compute services from a developer’s perspective
Choose the right compute option for different application patterns
Deploy applications using EC2, Lambda, and Containers
Understand scaling, availability, and pricing implications
Apply IAM roles to compute services securely

1. Overview of AWS Compute Options

Why Multiple Compute Options?

AWS provides multiple compute services to support:

Different levels of abstraction
Different operational responsibilities
Different cost and scaling models

Compute Spectrum
On-Prem → EC2 → Containers → Lambda
More Control ←────────────→ Less Control
More Ops ←────────────→ Less Ops

2. Amazon EC2 (Elastic Compute Cloud)

What is EC2?

Virtual servers in the cloud
Full OS-level control
Developer manages OS, runtime, scaling

Key EC2 Concepts

Instance types (general, compute, memory optimized)
AMI (Amazon Machine Image)
Security Groups
Key pairs
User Data

EC2 instance pricing

On-demand:

Low cost and flexibility of EC2 without any up-front payment or long term commitment
Applications with short term, spiky, or unpredictable workloads that cannot be interrupted

Reserved:

Applications with steady state or predictable usage
Users can make up-front payments to reduce their total computing costs even further
Standard Reserved Instances (RIs) provide up to 75% off on-demand price

Spot:

Applications that can be interrupted or only feasible at very low compute prices
Users with an urgent need for a large amount of additional compute capacity
If Amazon terminate your instances you do not pay, if you terminate you pay for the hour

Dedicated hosts:

Useful for regulatory requirements that may not support multi-tenant virtualization
Can be purchased on-demand (hourly) or Reserved for up to 70% off the on-demand price

Developer Use Cases

Legacy applications
Custom runtimes
Long-running services
Lift-and-shift workloads

EC2 Scaling & Availability

Manual scaling
Auto Scaling Groups (ASG)
Multi-AZ deployments

🔑 EC2 does not scale automatically unless ASG is configured.

3. Hands-On Lab 1: Launch EC2 Application

Objective
Deploy a simple web application on EC2.

Steps

Launch EC2 instance (Amazon Linux)
Attach IAM role (S3 read-only)
Configure Security Group (HTTP + SSH)
Use User Data:

!/bin/bash

yum install -y httpd
systemctl start httpd
echo "Hello from EC2" > /var/www/html/index.html

Access via public IP

Validation

Web page loads
No credentials configured on instance

4. AWS Lambda (Serverless Compute)

What is Lambda?

Event-driven, serverless compute
No server management
Automatic scaling

Key Lambda Concepts

Function
Handler
Runtime
Execution role
Timeout & memory

Supported Triggers

API Gateway

S3
DynamoDB
EventBridge etc

Lambda Execution Model

Stateless
Short-lived
Pay per execution

🔑 Lambda has 15-minute max execution time. For longer execution needs, use Lambda durable functions.

5. Hands-On Lab 2: Build a Lambda Function

Objective

Create a Lambda function triggered by API Gateway.

Steps

Create IAM role for Lambda

AWSLambdaBasicExecutionRole

Create Lambda function (Python)

Add code:

def lambda_handler(event, context):
return {
'statusCode': 200,
'body': 'Hello from Lambda'
}

Configure API Gateway trigger
Test endpoint

Validation

HTTP endpoint returns response
Logs visible in CloudWatch

6. Containers on AWS (ECS & EKS – Developer View)

Why Containers?

Portable runtime
Consistent environments
Faster deployments

Amazon ECS (Elastic Container Service)

AWS-managed container orchestration
Easier than Kubernetes
Integrates deeply with IAM

Launch Types:

EC2
Fargate (serverless containers)

Amazon EKS (Brief)

Managed Kubernetes
More control, more complexity

7. Hands-On Lab 3: Run Container on ECS Fargate

Objective

Deploy a containerized application without managing servers.

Steps

Create ECS cluster (Fargate)
Create task definition
Public sample image
Assign IAM task role
Run service
Access application via ALB
Validation
Container running
Logs in CloudWatch
No EC2 instances created

8. Choosing the Right Compute Option

Decision Table

Requirement ====> Best Choice
Full OS control ====> EC2
Event-driven, short tasks ====> Lambda
Containerized app ====> ECS
No server management ====> Lambda / Fargate
Long-running job ====> EC2 / ECS

9. IAM Integration with Compute

IAM Roles by Compute Type

EC2 → Instance Profile

Lambda → Execution Role

ECS → Task Role

🔑 Never use access keys in compute services.

10. Pricing Model Comparison

Service Pricing Model
EC2 Per second/hour
Lambda Per invocation + duration
ECS (EC2) Underlying EC2
Fargate vCPU + memory

11. AWS Load balancer

A load balancer distributes incoming application traffic across multiple EC2 instances in multiple Availability Zones. This increases the fault tolerance of your applications.

Load balancer serves as a single point of contact for clients.

Elastic Load Balancing detects unhealthy instances and routes traffic only to healthy instances.
This increases the availability of your application.
Add/remove instances from load balancer as needs change, without disrupting the
overall flow of requests to your application.
Elastic Load Balancing scales your load balancer as traffic to your application changes over time.

12. Amazon VPC Overview

Introduction

Amazon Virtual Private Cloud (VPC) provides network isolation and control for AWS resources. While developers do not design full network topologies, basic VPC knowledge is essential for application deployment, connectivity, and troubleshooting in the DVA-C02 exam.

Key Concepts

VPC

A logically isolated virtual network within an AWS Region

Defined by an IPv4/IPv6 CIDR block

Every AWS account has a default VPC per Region

Subnets

Subnets are created within a single AZ

Public subnet:

Has route to an Internet Gateway

Used for ALB, bastion hosts

Private subnet:

No direct internet access

Used for application servers, Lambda (VPC-enabled), databases
Internet Gateway (IGW)

Enables communication between VPC resources and the internet

Required for public subnets

Route Tables

Control traffic routing for subnets

Determine whether traffic stays internal or goes to IGW / NAT

NAT Gateway

Allows outbound internet access for resources in private subnets

Common for patching, external API calls
Security Groups vs NACLs (Exam Focus)

Security Groups

Stateful

Attached to resources (EC2, ALB, Lambda ENIs)

Network ACLs

Stateless

Applied at subnet level

Developer-Relevant Scenarios

Lambda accessing RDS in a private subnet

EC2 instances behind an ALB

Troubleshooting connectivity (timeouts vs permission errors)

Next

Dipali Kulshrestha

Jan 10

Storage for Developers

#architecture #aws #developer #learning

Comments 1

2 min read

AWS Development Environment

Dipali Kulshrestha — Sat, 10 Jan 2026 11:22:07 +0000

Module Objectives

By the end of this module, participants will be able to:

Introduction
Set up a secure AWS development environment
Configure CLI & SDK access securely

Introduction: AWS Global Infrastructure

Key Concepts

AWS Regions

A Region is a geographical area with multiple, isolated Availability Zones

Examples: us-east-1, eu-west-1, ap-south-1

Developers choose Regions based on:

Latency
Compliance & data residency
Service availability

Availability Zones (AZs)

An AZ is one or more physically separate data centres within a Region

AZs are:

Connected via high-speed, low-latency links
Isolated to prevent failure propagation

Best practice:

Deploy applications across multiple AZs for high availability

Edge Locations

Used by services such as:

Amazon CloudFront
AWS WAF
AWS Shield

Purpose:

Reduce latency by serving content closer to users
Improve performance for global applications

Regional vs Global Services (Developer View)

Global services:

IAM
Route 53
CloudFront

Regional services:

EC2, Lambda, RDS, DynamoDB

1. AWS Development Environment – Overview

A controlled AWS setup that allows developers to:

Write, build, test, and deploy applications
Access AWS services securely
Use automation tools (CLI, SDK, IaC)

Typical Components

AWS Account (or sandbox)
IAM Users / Roles
AWS Management Console
AWS CLI
SDKs (Java, Python, Node.js, etc.)
CloudShell / Cloud9 (optional)
Source control (GitHub / CodeCommit)

2. AWS Account & Environment Setup

Why not to use root account for development. Root account has unrestricted access – IAM policies do NOT apply to root.

Common models:

Single Account (training / sandbox)
Multi-Account (prod, non-prod, dev) – mention AWS Organizations
Root Account – Best Practices
Enable MFA
Do not use root for daily tasks
Secure root credentials

7. Development Access Options

AWS Management Console

Browser-based
For learning, debugging, configuration

AWS CLI

Used for automation and scripting
Uses IAM credentials or roles

AWS SDKs

Used in application code
Automatically picks credentials from environment

Credential resolution order (important concept):

Environment variables
Shared credentials file
IAM role (EC2/Lambda)
Default profile

8. AWS CloudShell

Browser-based shell
Pre-configured AWS CLI
Uses IAM permissions automatically

Benefits

No local setup
Secure
Ideal for training labs

Lab: Configure AWS CLI Securely

Objective

Set up AWS CLI using IAM user credentials.

Steps

Install AWS CLI
Run:aws configure

Provide:
Access Key
Secret Key
Region

Verify:

aws sts get-caller-identity

Security Note

Explain .aws/credentials file and risks.

Hands on Lab Prerequisites:

pip3 install boto3
aws configure

Lab: Create script to list bucket(vi or any editor)

import boto3

def list_buckets():
    s3 = boto3.client('s3')
    response = s3.list_buckets()

    print("S3 Buckets:")
    for bucket in response['Buckets']:
        print(f"- {bucket['Name']}")

if __name__ == "__main__":
    list_buckets()

Next

Dipali Kulshrestha

Jan 10

Compute options for Developers

#architecture #aws #devops

Comments

4 min read

Unlock & Share data Securely with Amazon Datazone

Dipali Kulshrestha — Fri, 24 May 2024 13:36:18 +0000

Introduction:

In today's data-driven world, organizations of all sizes – small, medium, and large – are striving to become more data-centric. They want to empower everyone with the power of data, but this becomes increasingly challenging as organizations grow.

Common Pain Points:

Finding the Right Data: Struggling to locate relevant data sets within the vast amount of information.
Data Trust & Ownership: Difficulty in verifying data integrity and identifying data owners.
Querying Diverse Data Sources: Challenges in querying data from various sources and formats using preferred tools.
Secure Collaboration & Governance: Lack of a secure way to share data analysis while ensuring proper governance across different data sources and tools.

Financial Services Use Case:

Let's consider a financial services company undergoing a digital transformation journey. They envision a scenario where data is:

Searchable & Accessible: Easy to find and use by everyone.
Trusted & Reliable: Data integrity is verifiable, and owners are clearly identified.
Simpler to Use: Enables efficient data utilization through user-friendly tools.
Catalyst for Innovation: Drives transformation and empowers data-driven decision-making.
Maximizes Reuse: Encourages data sharing and collaboration across teams.

Solution: Amazon DataZone as a Data Marketplace

To achieve these goals, Amazon DataZone offers a modern data ecosystem that connects data producers and consumers within the organization. It functions as a secure data marketplace where users can:

Access & Share: Find and share data products in a governed manner.
Enhanced Collaboration: Facilitate faster, simpler, and secure collaboration between data producers and consumers.
Real-Time Decision Making: Empower real-time insights and data-driven decisions.

Implementation: Multi-Account Setup with DataZone

We can leverage a multi-account setup within AWS to implement DataZone. This ensures data producers and consumers have dedicated AWS accounts while enabling secure data collaboration facilitated by DataZone.

Benefits:

Improved Data Findability: Easy discovery of relevant data sets.
Enhanced Data Trust: Clear data ownership and verifiable data integrity.
Unified Data Access: Query data from various sources and formats using preferred tools.
Secure Collaboration & Governance: Streamlined data sharing with built-in governance controls.
Faster Decision Making: Empowers data-driven decision making with real-time insights.

Technical Architecture

Data lake in a data producer account (where data assets are available)
Then we have a central Governing Datazone Account
And, thirdly we have Consumer's accounts who wants to consume datalake data available in producer's account

This is how the technical architecture looks like:

Demo to produce or consume data is available at:
https://drive.google.com/file/d/1-LwVLzUgf1W_j8suf_hZ3l1ZJchVOlR4/view?usp=sharing

Conclusion:

Amazon DataZone unlocks the power of data within your organization. It creates a secure and collaborative environment for data producers and consumers, ultimately driving innovation and data-driven success.

How to use Bitnami Wordpress Marketplace AMIs

Dipali Kulshrestha — Sat, 08 May 2021 07:52:05 +0000

This tutorial is to use Bitnami Wordpress Application available at Amazon Marketplace.
This is a blogging application and has web and database server running on same machine. As part of this exercise we will do the following.
Part-1: Run the application as-is and post comments and view the data flow via database client.
Part-2: Migrate the database from traditional MySQL to Amazon RDS and change the configurations to redirect the web application to use newly created RDS.
Lets get in action…

Part-1: Run application as-is
Step 1: Go to EC2 dashboard and Create a new keypair - training
Step 2: Create ec2 instance using Marketplace AMI for bitnami wordpress "WordPress Certified by Bitnami and Automattic"

Check for usage instructions:
Few important things to note here:
a) The default server administrator is 'user'
b) Documentation Link to get password: https://docs.bitnami.com/aws/faq/get-started/find-credentials/
c) You can also access your instance via SSH using the username 'bitnami' and your Amazon private key
Hit Continue and complete the instance creation process using key pair created in step-1
Step 3: ssh to your instance, grab the public DNS and follow instructions below:
Open putty and save the public DNS:
Make following configurations in putty:
a) Select keypair under SSH=>Auth
b) open a tunnel to access db client phpmyadmin available on the same server: Go to SSH=>Tunnels
source port: 8888
Destination: localhost:80
Click on Add
c) Go to Connection => data
Data: Auto-login username = bitnami
Make sure all the three configurations you just made are still there and then click on open. It will launch the server as below:
Step 4: Now, once you ssh-ed to this instance, next step to get the password for running application. to get that run following command
cat ./bitnami_credentials

Note the username 'user' and its password
Step 5: Now check the front end application by using public dns via browser:
you should be able to see something like:
Now, post or reply to some blog. e.g.
Go to Recent Posts, Click on Hello World and reply like:
Click on post comment button
Step 6: Now log in to the DB Client and identify the comment posted in step-5
(phpadmin is already installed at this server, for which have the settings while connecting via putty). Access following via web browser:
http://localhost:8888/phpmyadmin
Since, we are trying to access database, we will use username as 'root' and password as per step 4 via "cat ./bitnami_credentials"
You are now logged on to the database whwre database name is "bitnami_wordpress"
Expand and check wp_comments table.
We can see our comment at row#2.
So, till here we are able to access the web application and database and can also see the data flow.
Part 2: Migrate the DB to RDS
Now, in 2nd part we will migrate this Mysql database to Amazon RDS. For that export this 'bitnami_wordpress' database and later we will import this into RDS so web application has exactly same backend.
Step 1: Export the database 'bitnami_wordpress'
Click on Database, then click on Export and export it with SQL format.
it will download binami_worpress.sql file to your downloads.
Step 2: Create RDS instance (via AWS Management console)
Go to Databases => Create Database
In Engine options => choose MySQL
Leave the default version. And, choose Free tier Template
in Settings => DB Instance identifier define as: wordpress2
Credentials: Master username: admin , Master Password: Welcome1 (confirm as well)
DB instance size, storage, Availability: leave default
Connectivity: Default VPC
Expand, Additional connectivity configuration: choose Public access as 'Yes'
Choose 'default' security group and DB port will be 3306
Go to Additional Configurations
provide initial database name as: wordpress2
Rest leave default and click on ' Create Database'
it normally takes 10–15 min.
Once the status is available, check the details
Connectivity & security: Note the Database endpoint
In new tab, go to the EC2 dashboard and note Public and Private IPs of the EC2 instance.
Come back on RDS database details and Click on the security group to open in new tab.
Go to inbound rules => Edit inbound rules
Add following three rules:
Type:MySQL/Aurora, Port range: 3306, Custom, 0.0.0.0/0
Type:MySQL/Aurora, Port range: 3306, Custom,
Type:MySQL/Aurora, Port range: 3306, Custom,

Save rules.
Step 3: Now, Change the phpMyAdmin configuration to point to the RDS database in step-2. Go to EC2 instance and perform following steps
sudo su cd /opt/bitnami/apps/phpmyadmin/htdocs/ chmod 777 config.inc.php
Open this config.inc.php with your preferred editor e.g. vi or nano

'
vi config.inc.php
'
Go to the end of file (in vi, you can use shift+G), press 'o' to add a new line in the end.
copy-paste following in the end of file. Make sure to replace database endpoint at line 3. To paste you can use Shift+Insert or Shift+rightclick

$i++; $cfg['Servers'][$i]['verbose'] = 'Amazon RDS'; $cfg['Servers'][$i]['host'] = 'wordpress2.cdwwbxbm9nrk.us-east-1.rds.amazonaws.com'; $cfg['Servers'][$i]['port'] = '3306'; $cfg['Servers'][$i]['socket'] = ''; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['extension'] = 'mysqli'; $cfg['Servers'][$i]['auth_type'] = 'cookie'; $cfg['Servers'][$i]['AllowNoPassword'] = false;

Now to save file. Press Esc, then :wq (write & quit)
Change the file permissions back

chmod 644 config.inc.php

Now, go to phpMyAdmin client via browser: http://localhost:8888/phpmyadmin/index.php
At login screen, provide the RDS credentials ie
user: admin, Password: Welcome1, Server Choice: Amazon RDS
At this stage, you are connected to DB client which is pointing to Amazon RDS.
Step 4: Now let's import the database which we exported in Step1
in phpMyAdmin, click on your database name 'wordpress2', and then click on "import", choose file bitnami_wordpress.sql from your downloads
And, click on Go. It will import all tables & data as exported from original database.
Step 5: So far we have fixed the db client myphpadmin to point to new DB, Now, we also need to point our web application to talk to new RDS instance.
To do that, perform following steps:
From EC2 command prompt

cd /opt/bitnami/apps/wordpress/htdocs chmod 777 wp-config.php vi wp-config.php

in first section of this file update the DB details [DBName, User, Password, Host]:

/** The name of the database for WordPress *//** MySQL database username *//** MySQL database password *//** MySQL hostname *//** Database Charset to use in creating database tables. *//** The Database Collate type. Don't change this if in doubt. */ define( 'DB_NAME', 'wordpress2' ); define( 'DB_USER', 'admin' ); define( 'DB_PASSWORD', 'Welcome1' ); define( 'DB_HOST', 'wordpress2.cdwwbxbm9nrk.us-east-1.rds.amazonaws.com' ); define( 'DB_CHARSET', 'utf8' ); define( 'DB_COLLATE', '' );
Save the file and change the file permissions back.
chmod 644 wp-config.php

Try to access application via Public DNS.
Post new comment and check in DB via phpMyAdmin.
Now we are done with this excercise. Make sure to delete RDS instance and EC2 instance to avoid un-necessary charges

Containerize Microservice with Amazon ECS and Application Load Balancer

Dipali Kulshrestha — Sat, 08 May 2021 07:19:00 +0000

In this tutorial, we will create a python based microservice and will deploy on to Amazon ECS along with Application Load Balancer with dynamic port mapping. Here we will create three images of microservice which will run behind an Application Load Balancer on ECS.
To achieve this we will perform following steps:
Step1: Create microservice app [3 separate apps to see the ALB effect]
Step 2: Create Dockerfile(s)
Step3: Create ECR Repository and push images to ECR
Step4: Create ECS cluster
Step5: Create Task Definition & add container information
Step6: Create Service to run the Task definition
Step7: Create Application Load Balancer
Step8: Fix security group settings
Step9: Complete creation of service by providing ALB name
Step10: Verify the running services
Step11: Delete resources (ECS Cluster, Load Balancer)
Here we are creating a sample python based simple 'Hello World' microservice app. Lets write its code in index.py using flask which is a small HTTP server for python apps

index.py

from flask import Flask app = Flask(__name__) @app.route("/service-1") def hello(): return "Hello World from service-1!" if __name__ == "__main__": app.run(host="0.0.0.0", port=int("5001"), debug=True)

Dockerfile

FROM python:alpine3.7 COPY . /app WORKDIR /app RUN pip install -r requirements.txt EXPOSE 5001 ENTRYPOINT ["python","./index.py"]

Where FROM directive is to tell Docker that which base image is to take from Docker Hub.
COPY directive moves the application into the container image
WORKDIR sets the working directory
RUN directive is calling PyPi(pip) to install dependencies available in file: "requirements.txt"
EXPOSE directive is to expose a port to be used by flask
ENTRYPOINT command is to execute the actual application script

requirements.txt
Check if Docker is available on machine
docker --version
Steps to install Docker on Linux ec2 (if not already available)
install docker on ec2: sudo yum update -ysudo usermod -a -G docker ec2-user==> login again sudo yum install -y docker sudo service docker start exit docker info docker --version
So by now we have created index.py, requirements.txt, Dockerfile for our first microservice service-1 which is set to run at 5001 port. Similarly create service-2 and service-3 on ports 5002 and 5003 respectively.
Now lets create the Elastic Container repository (ECR) repository and create and push images to that repository.
Go to the AWS management console and open ECR dashboard,provide the repository name as 'microservices-repo' and leave everything default and click on create repository.
Now select the repository and click on 'View Push Commands' option
Which will give you the commands to Login (via CLI), Create image, Create tag and push tag to ECR repository
Ensure you have awscli version2 configured

To check cli version you can run: aws --version
Else, run 'aws configure' and use access key and secret key to configure the same.
I have used following commands to create and push the three images to ECR repo.

`
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 16xxxxxx.dkr.ecr.us-east-1.amazonaws.com
docker build -t microservices-repo:service-1 .
docker tag microservices-repo:service-1 16xxxxxx.dkr.ecr.us-east-1.amazonaws.com/microservices-repo:service-1
docker push 16xxxxxx.dkr.ecr.us-east-1.amazonaws.com/microservices-repo:service-1

aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 16xxxxxx.dkr.ecr.us-east-1.amazonaws.com
docker build -t microservices-repo:service-3 .
docker tag microservices-repo:service-3 16xxxxxx.dkr.ecr.us-east-1.amazonaws.com/microservices-repo:service-3
docker push 16xxxxxx.dkr.ecr.us-east-1.amazonaws.com/microservices-repo:service-3
`
Once we have clearly tagged images in to the repository, Next step is to create ECS cluster
Go to the Amazon ECS dashboard => Cluster =>Create Cluster and consider following configurations while cluster creation:
Select Cluster template as "EC2 Linux + Networking"
Provide cluster name as 'microservices-cluster'
choose EC2 instance type as 't3.small'
Number of instances '2'
and leave rest everything as default.
it will create a Cluster with 2 EC2 instances in a new VPC and a new security group with name starting from 'EC2ContainerService….'
From the ECS dashboard go to Task Definition => Create New Task Definition with launch type as EC2
Name: service-1-td, and click on Add Container (refer snapshot below)
Now use following configurations to add container:
Container Name: service-1-cont
image: image URI of service-1 tag from ECR
Memory Limit: Soft Limit - 512
Port mapping: 80 => 5001
then click on Add
Snapshot below for reference:
Then click on create for Task definition to get created.
Similarly create 2 more Task definitions for service-2 and service-3
The only difference will be in the container port mapping. here to allow dynamic post mapping via ALB, we will map port 0 to 5002 and 0 to 5003. Please refer snapshot below:
Once, we have Task Definition ready, its time to create Service (which will be run using task definition template created in this step.
Open the cluster and click on 'Create' under Services tab
Consider following service configurations:
Launch type: EC2
Task Definition: service-1-td
service name: service-1
No. of tasks: 1
Choose Task Placement as 'BinPack' and Click on 'Next Step'. Under Load balancing we need to use Application Load Balancer. For which we need to create and ALB first.
In New tab, Open EC2 console and go to the 'Load balancer' While ALB creation, it is very important to create this ALB in the same VPC as of ECS cluster, use following configurations for ALB:
Name: microservicesLB
Listeners: HTTP : 80
VPC: (choose VPC as of ECS cluster) and select AZs
Then click on "Configure Security Settings" and then "Next: Configure Security Groups"
Create new Security Group named: MicroservicesLB-SG
Now, Click on "Next: Configure Routing"
Create New Target Group with Name: MicroservicesLB-TG
Then, Click on "Next: Register Targets"
Here, we do not need to register any targets (as these will be registered via ECS), Simply click on "Next: Review" and then "Create"
Once Load balancer is created, Note down (copy) the Security group id of this load balancer
Click on this Security group id, it will take you to the Security Groups page under EC2
Open the EC2 container service security group, and edit inbound rules to allow traffic from Load balancer security group with All TCP protocol and save rule.
Now, Come back to the service creation tab. under Load Balancing section choose Application Load balancer and select the load balancer name just created. Also ensure Container name:Port mapping already populated with correct port
Now, Click on "Add to Load balancer"
Choose following configuration in 'Container to Load balance' section
Production Listener Port: 80:HTTP
Leave the default Target group name
Make sure Path pattern exactly matches with the end-point in your application script (index.py) followed by /*
Provide Evaluation order as 1 or 2 or 3 for service-1, service-2, service-3 respectively
Health check path should also be the same as end-point
Click on Next step =>Next Step and Create Service
Once the service is created, pick the DNS of ALB followed by /service-1 (service-2 or service-3)
it should display the running application with message: Hello World from Service-1!
e.g. refer snapshot below:
Step11: Delete resources (ECS Cluster, Load Balancer)
Go to ECS Dashboard => open cluster => Delete Cluster
Go To Load Balancer via EC2 => Select Load Blancer =>Actions =>Delete