DEV Community: Ilyas Rufai The latest articles on DEV Community by Ilyas Rufai (@rufilboss). https://dev.to/rufilboss https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F548489%2F0921b258-f827-4615-a9cf-d5c6f016875b.jpg DEV Community: Ilyas Rufai https://dev.to/rufilboss en IAM Role Design Patterns for Multi-Account AWS Environments Ilyas Rufai Wed, 24 Jun 2026 04:09:26 +0000 https://dev.to/rufilboss/iam-role-design-patterns-for-multi-account-aws-environments-3eng https://dev.to/rufilboss/iam-role-design-patterns-for-multi-account-aws-environments-3eng <p>Your team starts with one AWS account. Six months later, you have five: production, staging, shared services, security, and a sandbox nobody remembers creating. Someone creates an <code>Admin</code> IAM user in each account. CI/CD stores access keys in three different secret stores. An auditor asks who assumed full access in production last Tuesday, and the answer is a spreadsheet.</p> <p>Multi-account AWS is a security win, but only if <strong>access is role-based, scoped, and observable</strong>. Copying single-account IAM habits into an organization creates credential sprawl, unclear blast radius, and reviews that fail the moment someone says "shared admin user."</p> <p>In this article, you will learn five IAM role design patterns that scale across AWS Organizations, when to use each one, and how to implement them with trust policies, guardrails, and Terraform.</p> <p><strong>Who this is for:</strong> Platform engineers, DevSecOps engineers, and cloud architects building or maturing multi-account AWS environments.</p> <p><strong>What you will learn:</strong> How to design roles for humans, automation, audit, cross-account resources, and third-party access, without defaulting to long-lived keys or duplicated admin policies.</p> <p><strong>Prerequisites:</strong></p> <ul> <li>Basic familiarity with IAM roles and policies</li> <li>An AWS Organization (or plans to adopt one)</li> <li>Optional: Terraform for the implementation snippets</li> </ul> <p><strong>Related work:</strong> If you are new to role-based EC2 access in a single account, start with <a href="https://dev.to/rufilboss/terraform-ec2-and-s3-upload-access-a-simple-iam-role-setup-without-access-keys-4k99">Terraform EC2 and S3 Upload Access</a>.</p> <h2> TL;DR </h2> <ul> <li>Use <strong>IAM Identity Center</strong> (successor to AWS SSO) for human access across accounts, not IAM users in every account.</li> <li>Give CI/CD a <strong>dedicated role in a tooling account</strong> that assumes <strong>short-lived deployment roles</strong> in workload accounts.</li> <li>Centralize audit with <strong>read-only cross-account roles</strong> into a security/logging account wired to CloudTrail and AWS Config.</li> <li>For shared resources (S3, KMS), combine <strong>resource policies</strong> with <strong>role trust</strong> and do not make roles overly broad to "make it work."</li> <li>Lock the org with <strong>Service Control Policies (SCPs)</strong>; use <strong>permission boundaries</strong> on custom roles so teams cannot escalate past intent.</li> <li>Every cross-account trust policy should name a <strong>specific principal</strong>, add <strong>conditions</strong> (<code>aws:PrincipalOrgID</code>, <code>aws:PrincipalAccount</code>), and be visible in CloudTrail.</li> </ul> <h2> Why single-account IAM thinking fails at scale </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Habit from one account</th> <th>What breaks in multi-account</th> </tr> </thead> <tbody> <tr> <td>IAM users with access keys per engineer</td> <td>Keys multiply; rotation and offboarding become error-prone</td> </tr> <tr> <td>One <code>AdministratorAccess</code> role cloned everywhere</td> <td>No separation between prod and sandbox; blast radius is the whole org</td> </tr> <tr> <td>CI/CD keys stored per environment</td> <td>Leaked key in staging can affect production if policies are loose</td> </tr> <tr> <td>"We'll clean it up later" bucket policies</td> <td>Cross-account access becomes permanent <code>Principal: "*"</code> debt</td> </tr> </tbody> </table></div> <p><strong>Key idea:</strong> In multi-account AWS, identity lives in one place, authorization is <strong>scoped per account and per job function</strong>, and guardrails apply <strong>above</strong> IAM with SCPs.</p> <h2> Reference account model </h2> <p>You do not need a perfect landing zone on day one, but roles make more sense when accounts have intent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Organization ├── Security OU │ └── security-audit (log archive, read-only aggregation) ├── Infrastructure OU │ └── shared-networking (optional) ├── Workloads OU │ ├── prod │ ├── staging │ └── dev └── Sandbox OU └── sandbox </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fkfy361cpw03qpz9g9zzg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fkfy361cpw03qpz9g9zzg.png" alt="AWS Organizations OU hierarchy with security, workload, and sandbox accounts" width="800" height="533"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F6fz4c5e7vzsps8iwi0l3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F6fz4c5e7vzsps8iwi0l3.png" alt="Multi-account IAM role patterns across security, tooling, and workload accounts" width="800" height="533"></a></p> <p>Each pattern below maps to a <strong>different trust direction</strong>. Mixing them into one "super role" is the most common design mistake.</p> <h2> Pattern 1 — Human access with IAM Identity Center </h2> <p><strong>Use when:</strong> Engineers, operators, or auditors need console or CLI access to multiple accounts.</p> <p><strong>Do not:</strong> Create IAM users in every account and email access keys.</p> <p>IAM Identity Center issues short-lived credentials via permission sets mapped to groups (for example, <code>PlatformAdmins</code>, <code>Developers</code>, <code>ReadOnlyAuditors</code>). AWS automatically creates corresponding roles in member accounts.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F2iavgq2tnw0gpy8csq1z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F2iavgq2tnw0gpy8csq1z.png" alt="IAM Identity Center human access flow across permission sets and member accounts" width="800" height="533"></a></p> <p><strong>Design rules:</strong></p> <ol> <li>Map job function to permission sets, not individuals to admin.</li> <li>Prefer <code>ReadOnlyAccess</code> or custom read sets for most engineers; reserve power access for break-glass workflows.</li> <li>Use account assignments so <code>Developers</code> get <code>PowerUserAccess</code> in <code>dev</code> but <code>ReadOnlyAccess</code> in <code>prod</code>.</li> <li>Enable IAM Identity Center in the <strong>management account</strong> (or a dedicated identity account if your org design uses one).</li> </ol> <p><strong>Verification signal:</strong> A user in the <code>Developers</code> group can open the <code>dev</code> account console but receives <code>AccessDenied</code> when attempting the same action in <code>prod</code>.</p> <p>IAM Identity Center → Permission sets; predefined<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fzg4vlwn4gugcbr785075.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fzg4vlwn4gugcbr785075.png" alt="IAM Identity Center Predefined1" width="800" height="376"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F8bvemldgtnpy2pb21oro.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F8bvemldgtnpy2pb21oro.png" alt="IAM Identity Center Predefined2" width="800" height="376"></a></p> <p>IAM Identity Center → Permission sets; custom<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fp6ow7ogpy5eo0kp0bl1v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fp6ow7ogpy5eo0kp0bl1v.png" alt="IAM Identity Center Custom" width="800" height="376"></a></p> <h2> Pattern 2 — CI/CD deployment role (tooling → workload) </h2> <p><strong>Use when:</strong> GitHub Actions, GitLab CI, Jenkins, or CodePipeline deploys infrastructure or applications into workload accounts.</p> <p><strong>Trust flow:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Tooling account (CI role) | | sts:AssumeRole v Workload account (deployment role) | v Deploy EC2 / ECS / Lambda / Terraform resources </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F11ox6srmv0neaobyoxug.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F11ox6srmv0neaobyoxug.png" alt="CI/CD deployment role trust flow from tooling account to workload account" width="800" height="533"></a></p> <h3> Trust policy in the workload account (deployment role) </h3> <p>This role lives in <strong>production</strong> (or staging) and trusts a <strong>specific role</strong> in the tooling account, not the whole organization.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AllowToolingDeployRole"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::111111111111:role/github-actions-deploy"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRole"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:PrincipalOrgID"</span><span class="p">:</span><span class="w"> </span><span class="s2">"o-a1b2c3d4e5"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Permissions policy on the deployment role (example) </h3> <p>Scope to what the pipeline actually does, not <code>AdministratorAccess</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DeployApplicationStack"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"ec2:Describe*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ecs:UpdateService"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ecs:DescribeServices"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:PassRole"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"iam:PassedToService"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ecs-tasks.amazonaws.com"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Terraform: workload account role </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"tooling_account_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"organization_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"tooling_deploy_role_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"github-actions-deploy"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"workload_deploy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"deployment-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"AllowToolingDeployRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::${var.tooling_account_id}:role/${var.tooling_deploy_role_name}"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"aws:PrincipalOrgID"</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">organization_id</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p><strong>Design rules:</strong></p> <ol> <li>One deployment role per environment (<code>deployment-role-prod</code>, <code>deployment-role-staging</code>).</li> <li>CI authenticates to the tooling account first (prefer <strong>OIDC federation</strong>, not stored keys).</li> <li>Pipeline assumes the workload role immediately before deploy steps.</li> <li>Add <code>aws:PrincipalAccount</code> if multiple accounts exist in the org and you want extra-tight trust.</li> </ol> <p><strong>Verification signal:</strong> CloudTrail shows <code>AssumeRole</code> from the tooling role ARN into the workload deployment role, followed only by expected API calls, no stray <code>iam:CreateUser</code>.</p> <h2> Pattern 3 — Central audit and security read role </h2> <p><strong>Use when:</strong> A security account aggregates CloudTrail, AWS Config, GuardDuty, or Security Hub findings from member accounts.</p> <p><strong>Trust flow:</strong> Member accounts expose a <strong>read-only role</strong> that the security account (or a security automation role) can assume, or use organization-wide services (Security Hub, GuardDuty delegated admin) where applicable.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fjfzllesomm2xzpufgt7e.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fjfzllesomm2xzpufgt7e.png" alt="Central audit read role flow from member accounts to security account" width="800" height="533"></a></p> <p>Example member-account role trust:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::999999999999:role/security-read-automation"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRole"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:PrincipalOrgID"</span><span class="p">:</span><span class="w"> </span><span class="s2">"o-a1b2c3d4e5"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Attach a read-only policy (<code>SecurityAudit</code> or tighter custom read).</p> <p><strong>Design rules:</strong></p> <ol> <li>Security account is for <strong>read and detect</strong>, not daily deploys.</li> <li>Prefer organization-level service delegation (GuardDuty, Security Hub) where available instead of hundreds of custom trust relationships.</li> <li>Log every cross-account assumption; alert on unexpected principals.</li> </ol> <p><strong>Verification signal:</strong> A security account can describe Config rules in member accounts but cannot <code>ec2:TerminateInstances</code>.</p> <h2> Pattern 4 — Cross-account resource access (S3 and KMS) </h2> <p><strong>Use when:</strong> A workload in account A must read/write a bucket or key in account B (logs, artifacts, shared datasets).</p> <p><strong>Do not:</strong> Give the compute role in account A <code>s3:*</code> on <code>*</code> and call it done.</p> <p>You need <strong>both sides</strong>:</p> <ol> <li> <strong>Identity policy</strong> on the role in account A (what the role is allowed to request).</li> <li> <strong>Resource policy</strong> on the bucket or KMS key in account B (what the resource allows).</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fw0gnfwlu4iae7gxz9ctt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fw0gnfwlu4iae7gxz9ctt.png" alt="Cross-account S3 access requiring identity policy and resource policy on both sides" width="800" height="533"></a></p> <h3> S3 bucket policy (account B) </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AllowWorkloadRoleUpload"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::222222222222:role/app-upload-role"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:PutObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:AbortMultipartUpload"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::shared-artifacts-prod/uploads/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Identity policy (account A, on <code>app-upload-role</code>) </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"WriteSharedArtifacts"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:PutObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:AbortMultipartUpload"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::shared-artifacts-prod/uploads/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>For KMS, include <code>kms:Encrypt</code>, <code>kms:GenerateDataKey</code>, and a key policy that names the same principal.</p> <p><strong>Design rules:</strong></p> <ol> <li>Name the <strong>exact role ARN</strong> in the resource policy; avoid account-root principals unless you truly mean the entire account.</li> <li>Scope to prefix (<code>uploads/*</code>) or specific key aliases.</li> <li>Prefer moving the resource closer to the consumer account if daily cross-account access is heavy.</li> </ol> <p><strong>Verification signal:</strong> Upload succeeds from the app role; <code>s3:DeleteObject</code> or access from a different role fails with <code>AccessDenied</code>.</p> <h2> Pattern 5 — Third-party and vendor access with ExternalId </h2> <p><strong>Use when:</strong> A SaaS vendor, partner, or integration must assume a role in your account (monitoring, backup, security scanning).</p> <p>Always require <code>sts:ExternalId</code> in the trust policy to mitigate confused deputy problems.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F12x1k919aa3u5jmrysv7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F12x1k919aa3u5jmrysv7.png" alt="Third-party vendor assume role flow with ExternalId condition" width="800" height="533"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::333333333333:root"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRole"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"sts:ExternalId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"your-unique-external-id-from-vendor"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Design rules:</strong></p> <ol> <li>One role per vendor integration; never reuse a vendor role for internal automation.</li> <li>Rotate or revoke ExternalId when offboarding the vendor.</li> <li>Prefer vendor-specific managed policies over <code>ReadOnlyAccess</code> if the vendor documents minimum requirements.</li> </ol> <h2> SCPs and permission boundaries: guardrails above IAM </h2> <p>IAM roles express <strong>intent</strong>. SCPs express <strong>organizational maximums</strong>. Permission boundaries cap what a role can ultimately grant, even if someone attaches a broader policy (by mistake).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fy76t7ubqfkvw2adhmf24.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fy76t7ubqfkvw2adhmf24.png" alt="IAM guardrails layered with allow policies, permission boundaries, and SCP deny ceiling" width="800" height="533"></a></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Control</th> <th>What it does</th> <th>Example</th> </tr> </thead> <tbody> <tr> <td>SCP</td> <td>Org-wide deny ceiling</td> <td>Deny all actions outside <code>af-south-1</code> and <code>eu-west-1</code> </td> </tr> <tr> <td>Permission boundary</td> <td>Max permissions for a custom role</td> <td>Allow EC2 and ECS, deny IAM and Organizations</td> </tr> <tr> <td>Session policy</td> <td>One-time session scoping</td> <td>CLI assume-role with a tighter inline session policy</td> </tr> </tbody> </table></div> <p>A common SCP pattern for workload accounts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DenyIAMUserAndAccessKeys"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"iam:CreateUser"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:CreateAccessKey"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>SCPs do not grant access; instead, they filter it. IAM roles still need explicit allow policies.</p> <h2> Decision matrix: which pattern when? </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Need</th> <th>Pattern</th> <th>Primary mechanism</th> </tr> </thead> <tbody> <tr> <td>Engineer console/CLI access</td> <td>Identity Center</td> <td>Permission sets + account assignments</td> </tr> <tr> <td>Pipeline deploys to prod</td> <td>CI/CD deployment role</td> <td>Cross-account <code>AssumeRole</code> + OIDC in tooling account</td> </tr> <tr> <td>Security team visibility</td> <td>Audit read role</td> <td>Cross-account read + delegated security services</td> </tr> <tr> <td>App writes to shared bucket</td> <td>Resource + identity policy</td> <td>S3/KMS policies naming specific role ARNs</td> </tr> <tr> <td>Vendor integration</td> <td>Vendor assume-role</td> <td>Trust policy + <code>sts:ExternalId</code> </td> </tr> <tr> <td>Prevent IAM users org-wide</td> <td>SCP guardrail</td> <td>Deny <code>iam:CreateUser</code> / <code>CreateAccessKey</code> </td> </tr> </tbody> </table></div> <h2> How to verify your design </h2> <p>Run this review before calling the model "done":</p> <ol> <li> <strong>No long-lived IAM user keys</strong> in workload or tooling accounts for automation.</li> <li>Every cross-account trust policy names a <strong>specific principal ARN</strong> (or Identity Center pattern), not <code>*</code>.</li> <li> <code>aws:PrincipalOrgID</code> (or <code>aws:PrincipalAccount</code>) appears on cross-account trust where possible.</li> <li>CloudTrail logs show <strong>who assumed which role</strong> and which API calls followed.</li> <li>A negative test fails as expected (for example, staging deploy role cannot assume production role).</li> <li>SCP deny rules block the risk you fear most (root usage, unapproved regions, public S3 ACLs).</li> </ol> <h3> Quick CLI negative test (deployment roles) </h3> <p>From the tooling role session, attempt to assume a role that you should not reach:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sts assume-role <span class="se">\</span> <span class="nt">--role-arn</span> arn:aws:iam::PROD_ACCOUNT_ID:role/deployment-role <span class="se">\</span> <span class="nt">--role-session-name</span> deploy-test </code></pre> </div> <p>Repeat with the <strong>allowed</strong> workload role and confirm success. Then run a single deploy action and confirm that CloudTrail captures the chain.</p> <h2> When this breaks down </h2> <ol> <li> <strong>Account vending without role standards:</strong> New accounts get bespoke admin users because there is no template for trust policies.</li> <li> <strong>Role chaining depth:</strong> Chaining multiple <code>AssumeRole</code> calls hits session limits and makes debugging painful; keep chains shallow.</li> <li> <strong>Overloaded deployment roles:</strong> One role deploys EC2, edits IAM, and reads Secrets Manager; incident response becomes guesswork.</li> <li> <strong>SCP vs IAM confusion:</strong> Teams think an IAM <code>Allow</code> fixes an SCP <code>Deny</code>; it does not.</li> <li> <strong>Missing break-glass:</strong> Identity Center power access with no emergency process leads to shared root usage in outages.</li> </ol> <h2> Frequently asked questions </h2> <p><strong>Q: Should I use IAM users at all in member accounts?</strong></p> <p>For human access, no, use IAM Identity Center. Limited exceptions exist for break-glass automation accounts with strict controls, but that is not the default pattern.</p> <p><strong>Q: Is <code>AdministratorAccess</code> ever okay for deployment roles?</strong></p> <p>Rarely in mature environments. Start tight; broaden only with recorded justification. Admin deploy roles turn pipeline compromise into organization compromise.</p> <p><strong>Q: Do I need a separate tooling account?</strong></p> <p>Not on day one, but CI/CD roles benefit from isolation. Many teams start with a <code>shared-services</code> account and split later.</p> <p><strong>Q: How does this relate to AWS Control Tower?</strong></p> <p>Control Tower encodes opinionated OU and account factory patterns. The role designs here still apply; Control Tower helps enforce account baseline and guardrails.</p> <h2> What I learned designing roles across accounts </h2> <ul> <li> <strong>Trust policies are the real contract</strong> between accounts; review them like production code.</li> <li> <strong>Conditions are cheap insurance</strong>; <code>aws:PrincipalOrgID</code> stops a surprising amount of cross-account trust mistakes.</li> <li> <strong>Readable role names</strong> (<code>deployment-role-prod</code>, <code>security-read-member</code>) beat generic <code>cross-account-role</code> when auditors and on-call engineers ask questions at 2 a.m.</li> </ul> <h2> References </h2> <ul> <li><a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html" rel="noopener noreferrer">IAM Identity Center</a></li> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html" rel="noopener noreferrer">IAM roles</a></li> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html" rel="noopener noreferrer">Cross-account resource access in IAM</a></li> <li><a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html" rel="noopener noreferrer">AWS Organizations SCPs</a></li> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html" rel="noopener noreferrer">IAM permission boundaries</a></li> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html" rel="noopener noreferrer">Confused deputy problem (ExternalId)</a></li> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html" rel="noopener noreferrer">Security best practices in IAM</a></li> <li><a href="https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html" rel="noopener noreferrer">AWS Well-Architected Framework — Security pillar</a></li> </ul> iam aws security infrastructure Terraform EC2 and S3 Upload Access: A Simple IAM Role Setup Without Access Keys Ilyas Rufai Sun, 21 Jun 2026 07:05:28 +0000 https://dev.to/rufilboss/terraform-ec2-and-s3-upload-access-a-simple-iam-role-setup-without-access-keys-4k99 https://dev.to/rufilboss/terraform-ec2-and-s3-upload-access-a-simple-iam-role-setup-without-access-keys-4k99 <p>You need a small virtual machine that can upload files to object storage. The fast-but-wrong path is to create an Identity and Access Management (IAM) access key, SSH into the box, and paste credentials into <code>~/.aws/credentials</code>. That works once, then those keys live on disk, get copied into scripts, and eventually leak.</p> <p>In this article, you will use Terraform to launch an Elastic Compute Cloud (EC2) instance and attach an IAM role so the instance can upload to one Simple Storage Service (S3) bucket without storing AWS access keys on the server.</p> <p><strong>Who this is for:</strong> Developers and DevOps engineers learning Terraform on AWS.</p> <p><strong>What you will build:</strong> One EC2 instance, one private S3 bucket, one IAM role with least-privilege upload permissions, and a working <code>aws s3 cp</code> test from the instance.</p> <p><strong>Prerequisites:</strong></p> <ul> <li>An AWS account with permissions to create EC2, S3, IAM, and security groups</li> <li> <a href="https://developer.hashicorp.com/terraform/install" rel="noopener noreferrer">Terraform</a> 1.5+ installed locally</li> <li> <a href="https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html" rel="noopener noreferrer">AWS CLI</a> configured locally (<code>aws configure</code>)</li> <li>An EC2 key pair already created in your target AWS Region (for SSH access)</li> </ul> <p><strong>Versions used in this tutorial:</strong></p> <ul> <li>Terraform <code>1.5+</code> </li> <li>AWS provider <code>~&gt; 5.0</code> </li> <li>Amazon Linux 2023 AMI</li> </ul> <h2> TL;DR </h2> <ul> <li>Do not put IAM access keys on EC2 for S3 uploads; use an IAM instance profile instead.</li> <li>Create the S3 bucket first, then attach a role policy scoped to that bucket and an <code>uploads/</code> prefix.</li> <li>Launch EC2 in your default virtual private cloud (VPC) with a security group that allows SSH only from your IP.</li> <li>Verify access from the instance with <code>aws s3 cp</code> credentials that come from instance metadata automatically.</li> <li>Run <code>terraform destroy</code> when finished to avoid ongoing EC2 charges.</li> </ul> <h2> Why putting access keys on EC2 fails </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Approach</th> <th>Why teams use it</th> <th>Why it breaks</th> </tr> </thead> <tbody> <tr> <td>IAM user access keys on the server</td> <td>Fast to test uploads</td> <td>Keys sit on disk, are hard to rotate, and expand blast radius if the instance is compromised</td> </tr> <tr> <td>Overly broad IAM policy (<code>s3:*</code> on <code>*</code>)</td> <td>Fewer permission errors during setup</td> <td>One compromised instance can read, delete, or overwrite unrelated buckets</td> </tr> <tr> <td>Manual console clicks only</td> <td>No infrastructure as code (IaC) history</td> <td>Drift, no repeatable setup, hard to audit</td> </tr> </tbody> </table></div> <p><strong>Key idea:</strong> The EC2 instance should assume an IAM role at boot. AWS injects short-lived credentials through the instance metadata service. Your Terraform code documents exactly what the instance can do.</p> <h2> What you are building </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Your laptop (Terraform) | v AWS API calls | +--&gt; S3 bucket (uploads/ prefix) | +--&gt; IAM role + instance profile | +--&gt; EC2 instance (assumes role, uploads via AWS CLI) </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F838etnc5xvlg68uh9thy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F838etnc5xvlg68uh9thy.png" alt="Architecture flow: Terraform provisions EC2 with IAM role for S3 uploads" width="800" height="533"></a></p> <h2> Step 1: Create the project layout </h2> <p>Create a new folder and four files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>terraform-ec2-s3-upload <span class="o">&amp;&amp;</span> <span class="nb">cd </span>terraform-ec2-s3-upload <span class="nb">touch </span>versions.tf variables.tf main.tf outputs.tf </code></pre> </div> <p>Your layout should look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-ec2-s3-upload/ versions.tf variables.tf main.tf outputs.tf </code></pre> </div> <h2> Step 2: Pin provider versions </h2> <p>Add provider constraints in <code>versions.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.5.0"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_region</span> <span class="p">}</span> </code></pre> </div> <h2> Step 3: Define input variables </h2> <p>Add tunable values in <code>variables.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"aws_region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"AWS region to deploy resources"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"project_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Prefix for resource names"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"tf-ec2-s3-demo"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"EC2 instance type"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"t3.micro"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"key_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Existing EC2 key pair name in this region"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ssh_cidr"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Your public IP in CIDR format for SSH access (example: 203.0.113.10/32)"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>Create a <code>terraform.tfvars</code> file with your values:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">aws_region</span> <span class="err">=</span> <span class="s2">"us-east-1"</span> <span class="nx">key_name</span> <span class="err">=</span> <span class="s2">"your-key-pair-name"</span> <span class="nx">ssh_cidr</span> <span class="err">=</span> <span class="s2">"YOUR_PUBLIC_IP/32"</span> </code></pre> </div> <p>To find your public IP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-s</span> https://checkip.amazonaws.com </code></pre> </div> <p>Append <code>/32</code> to that IP for <code>ssh_cidr</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fe85ld0yj6n62k77vqs7s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fe85ld0yj6n62k77vqs7s.png" alt="public_ip" width="798" height="54"></a></p> <h2> Step 4: Create the S3 bucket </h2> <p>Add the bucket and hardening settings in <code>main.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"uploads"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"${var.project_name}-${data.aws_caller_identity.current.account_id}"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket_public_access_block"</span> <span class="s2">"uploads"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">uploads</span><span class="p">.</span><span class="nx">id</span> <span class="nx">block_public_acls</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">block_public_policy</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">ignore_public_acls</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">restrict_public_buckets</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"aws_caller_identity"</span> <span class="s2">"current"</span> <span class="p">{}</span> </code></pre> </div> <p>Bucket name includes your account ID to reduce naming collisions.</p> <h2> Step 5: Create IAM role and least-privilege S3 policy </h2> <p>Still in <code>main.tf</code>, define what the EC2 instance is allowed to do:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"ec2_assume_role"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ec2.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"ec2_upload_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-ec2-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">ec2_assume_role</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"s3_upload_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"ListBucketPrefix"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:ListBucket"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">uploads</span><span class="p">.</span><span class="nx">arn</span><span class="p">]</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"StringLike"</span> <span class="nx">variable</span> <span class="p">=</span> <span class="s2">"s3:prefix"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"uploads/*"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"UploadObjectsOnly"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:PutObject"</span><span class="p">,</span> <span class="s2">"s3:AbortMultipartUpload"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"${aws_s3_bucket.uploads.arn}/uploads/*"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"s3_upload_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-s3-upload"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">s3_upload_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"attach_upload_policy"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ec2_upload_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">s3_upload_policy</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_instance_profile"</span> <span class="s2">"ec2_profile"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-instance-profile"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ec2_upload_role</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> </code></pre> </div> <p>This role can upload only to <code>uploads/*</code> inside one bucket. It cannot delete objects or read unrelated buckets.</p> <h2> Step 6: Use default VPC networking and security group </h2> <p>For a beginner-friendly setup, use the default VPC and one public subnet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"aws_vpc"</span> <span class="s2">"default"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"aws_subnets"</span> <span class="s2">"default"</span> <span class="p">{</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"vpc-id"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="nx">data</span><span class="p">.</span><span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"ec2_sg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-sg"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow SSH from your IP only"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"SSH from admin IP"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">ssh_cidr</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Step 7: Launch the EC2 instance </h2> <p>Add the Amazon Linux 2023 AMI lookup and EC2 instance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"aws_ami"</span> <span class="s2">"amazon_linux_2023"</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">owners</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"amazon"</span><span class="p">]</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"name"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"al2023-ami-*-kernel-*-x86_64"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"virtualization-type"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"hvm"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_ami</span><span class="p">.</span><span class="nx">amazon_linux_2023</span><span class="p">.</span><span class="nx">id</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_subnets</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">ids</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">ec2_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">key_name</span> <span class="nx">iam_instance_profile</span> <span class="p">=</span> <span class="nx">aws_iam_instance_profile</span><span class="p">.</span><span class="nx">ec2_profile</span><span class="p">.</span><span class="nx">name</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash dnf update -y dnf install -y awscli </span><span class="no"> EOF </span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-ec2"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Add outputs in <code>outputs.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"ec2_public_ip"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Public IP for SSH"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">public_ip</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"s3_bucket_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Target bucket for uploads"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">uploads</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"ssh_command"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"SSH command example"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"ssh -i ~/.ssh/${var.key_name}.pem ec2-user@${aws_instance.app.public_ip}"</span> <span class="p">}</span> </code></pre> </div> <h2> Step 8: Initialize and apply Terraform </h2> <p>Run Terraform from the project folder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init terraform plan terraform apply </code></pre> </div> <p>terraform init<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ftdj51k9szn2n1q05im1m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ftdj51k9szn2n1q05im1m.png" alt="Terraform init" width="799" height="256"></a></p> <p>terraform plan<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ffnhrr7brh749ctwxmhil.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ffnhrr7brh749ctwxmhil.png" alt="Terraform Plan" width="800" height="564"></a></p> <p>terraform apply; Type <code>yes</code> when prompted.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fayl5ll7kj23zzyooddwk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fayl5ll7kj23zzyooddwk.png" alt="Terraform apply" width="800" height="575"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F40no3iwfgs9rcidb88zv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F40no3iwfgs9rcidb88zv.png" alt="Terraform Applied" width="800" height="575"></a></p> <p>Instance running:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fpdwgf3uomw76849cyifs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fpdwgf3uomw76849cyifs.png" alt="Success!" width="797" height="107"></a></p> <h2> Step 9: SSH into the instance </h2> <p>Use the output SSH command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh <span class="nt">-i</span> ~/.ssh/your-key-pair-name.pem ec2-user@&lt;EC2_PUBLIC_IP&gt; </code></pre> </div> <p>If the connection fails, confirm:</p> <ol> <li> <code>ssh_cidr</code> matches your current public IP.</li> <li>Your key file permissions are <code>chmod 400</code>.</li> <li>The instance status is <code>running</code>.</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F9ip6abfq5qp6h0hkdv2q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F9ip6abfq5qp6h0hkdv2q.png" alt="successful SSH session" width="800" height="407"></a></p> <h2> Step 10: Verify S3 upload from EC2 </h2> <p>On the EC2 instance, confirm AWS CLI identity:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sts get-caller-identity </code></pre> </div> <p>You should see the role ARN for <code>${project_name}-ec2-role</code>, not an IAM user.</p> <p>Upload a test file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"upload test </span><span class="si">$(</span><span class="nb">date</span><span class="si">)</span><span class="s2">"</span> <span class="o">&gt;</span> /tmp/upload-test.txt aws s3 <span class="nb">cp</span> /tmp/upload-test.txt s3://&lt;BUCKET_NAME&gt;/uploads/upload-test.txt aws s3 <span class="nb">ls </span>s3://&lt;BUCKET_NAME&gt;/uploads/ </code></pre> </div> <p>Replace <code>&lt;BUCKET_NAME&gt;</code> with the <code>s3_bucket_name</code> Terraform output.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fc75lni4ap4iacjjwuyxl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fc75lni4ap4iacjjwuyxl.png" alt="s3-upload-success" width="800" height="62"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Filhpmr27a3y0pvh6c2zk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Filhpmr27a3y0pvh6c2zk.png" alt="08-s3-console-object" width="799" height="185"></a></p> <h2> How to verify this works </h2> <p>Run this quick checklist:</p> <ol> <li> <code>terraform output</code> shows <code>ec2_public_ip</code> and <code>s3_bucket_name</code>.</li> <li> <code>aws sts get-caller-identity</code> on EC2 returns the instance role ARN.</li> <li> <code>aws s3 cp</code> to <code>uploads/</code> succeeds from EC2.</li> <li>Upload to a different prefix (for example, <code>secrets/</code>) fails with <code>AccessDenied</code>.</li> <li>No access keys exist in <code>/home/ec2-user/.aws/credentials</code> on the instance.</li> </ol> <p>The last check confirms you are using role-based access, not static keys.</p> <h2> Clean up to avoid charges </h2> <p>When you finish testing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fhf69y2nvf7o6uj4u2i32.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fhf69y2nvf7o6uj4u2i32.png" alt="Destroying resources" width="800" height="577"></a></p> <p>Type <code>yes</code> to remove EC2, IAM, and S3 resources created by this tutorial.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fks2ehftolssuvh5vkhix.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fks2ehftolssuvh5vkhix.png" alt="Destroy complete!" width="800" height="577"></a></p> <h2> When this breaks down </h2> <ol> <li> <strong>Default VPC missing:</strong> Some AWS accounts disable the default VPC. You will need to create a VPC and public subnet first.</li> <li> <strong>SSH blocked by IP change:</strong> If your home IP changes, update <code>ssh_cidr</code> and run <code>terraform apply</code> again.</li> <li> <strong>Too open security groups:</strong> Never set SSH to <code>0.0.0.0/0</code> in real environments.</li> <li> <strong>Policy too broad:</strong> <code>s3:*</code> on <code>*</code> is convenient for demos but unsafe for production workloads.</li> <li> <strong>No remote state backend:</strong> This tutorial uses local Terraform state. For team use, move state to S3 with locking (DynamoDB).</li> </ol> <h2> Frequently asked questions </h2> <p><strong>Q: Why not attach an IAM user access key to EC2?</strong></p> <p>Access keys are long-lived secrets. IAM roles provide temporary credentials that rotate automatically and are tied to the instance lifecycle.</p> <p><strong>Q: Can this instance read objects from S3?</strong></p> <p>Not with the policy in this tutorial. It can upload to <code>uploads/*</code> only. Add explicit <code>s3:GetObject</code> permissions only if your workload needs reads.</p> <p><strong>Q: Is this production-ready?</strong></p> <p>It is a strong learning baseline, not a production baseline. Production setups usually add private subnets, Systems Manager (SSM) Session Manager instead of public SSH, encryption, logging, and tighter network controls.</p> <h2> What I learned building this </h2> <ul> <li>IAM instance profiles are the default pattern for EC2-to-AWS service access.</li> <li>Prefix-scoped S3 policies reduce damage if an instance is compromised.</li> <li>Terraform makes role and bucket permissions reviewable in pull requests.</li> </ul> <h2> Project on GitHub </h2> <ul> <li> <a href="https://github.com/rufilboss/terraform-ec2-s3-iam-role" rel="noopener noreferrer">Terraform project on GitHub</a> with EC2, IAM role, and S3 upload policy.</li> </ul> <h2> References </h2> <ul> <li><a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs" rel="noopener noreferrer">Terraform AWS Provider documentation</a></li> <li><a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html" rel="noopener noreferrer">IAM roles for Amazon EC2</a></li> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3.html" rel="noopener noreferrer">Granting permissions to access Amazon S3 resources</a></li> <li><a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html" rel="noopener noreferrer">Amazon S3 security best practices</a></li> <li><a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html" rel="noopener noreferrer">Instance metadata and IAM roles</a></li> </ul> terraform aws ec2 s3 Secret Scanning in CI: What Pre-Commit, Pull Request, and Main Branch Each Actually Catch Ilyas Rufai Wed, 17 Jun 2026 11:32:18 +0000 https://dev.to/rufilboss/secret-scanning-in-ci-what-pre-commit-pull-request-and-main-branch-each-actually-catch-3c55 https://dev.to/rufilboss/secret-scanning-in-ci-what-pre-commit-pull-request-and-main-branch-each-actually-catch-3c55 <p>A teammate pastes an AWS access key into a PR comment to "debug quickly." Another commits <code>.env.production</code> because <code>.gitignore</code> was wrong on a new microservice. A third rotates nothing after a contractor laptop compromise because "we never committed secrets, probably fine."</p> <p>Secret scanners are not interchangeable at every stage of the software development lifecycle (SDLC). Running only on <code>main</code> means the secret already lived in git history. Running only locally means it never ran on the machine that mattered. <strong>Layers</strong> matter, and each layer should have a different job.</p> <p>In this article, you will implement a practical three-layer secret-scanning model with Gitleaks and GitHub Actions, then verify each layer and handle real incidents without creating scanner fatigue.</p> <p><strong>Who this is for:</strong> Engineers owning GitHub Actions security checks for application repos.</p> <p><strong>What you'll build:</strong> Pre-commit hook, PR scan, and post-merge history scan with shared allowlist discipline.</p> <p><strong>Prerequisites:</strong> Git, GitHub repo, optional Gitleaks binary locally.</p> <h2> TL;DR </h2> <ul> <li>Use three layers with different goals: pre-commit for fast local feedback, pull request as a merge gate, and scheduled default-branch scans for hygiene.</li> <li>Block merges on PR findings; treat default-branch findings as incidents plus historical cleanup.</li> <li>Share one <code>.gitleaks.toml</code> across local and CI runs, and allowlist only specific safe paths.</li> <li>Rotation and revocation matter more than history rewrite; deleting git history without credential rotation does not contain compromise.</li> </ul> <h2> Why one scanner in one place fails </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Catches</th> <th>Misses</th> </tr> </thead> <tbody> <tr> <td>Pre-commit</td> <td>Keys before they enter any remote</td> <td>Skipped hooks (<code>--no-verify</code>), new clones without hooks installed</td> </tr> <tr> <td>Pull request</td> <td>Keys introduced in the diff; blocks merge</td> <td>Secrets only in comments, wiki, or release assets</td> </tr> <tr> <td>Default branch/history</td> <td>Deep scan, scheduled; finds old leaks</td> <td>Still too late for keys already exfiltrated from an open PR</td> </tr> </tbody> </table></div> <p>Treat findings like production incidents at the PR layer; treat main-branch scans as <strong>hygiene and audit evidence</strong>.</p> <h2> Layer 1 — Pre-commit (fast feedback) </h2> <p>Start with local feedback so engineers catch leaks before pushing.<br> Install <a href="https://github.com/gitleaks/gitleaks" rel="noopener noreferrer">Gitleaks</a> and wire a hook:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># .pre-commit-config.yaml</span> repos: - repo: https://github.com/gitleaks/gitleaks rev: v8.21.2 hooks: - <span class="nb">id</span>: gitleaks </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pre-commit <span class="nb">install</span> </code></pre> </div> <p>Developers see failures in under two seconds on staged files. <strong>Allowlist</strong> test fixtures explicitly, never disable rules globally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="c"># .gitleaks.toml (repo root)</span> <span class="nn">[allowlist]</span> <span class="py">paths</span> <span class="p">=</span> <span class="p">[</span> <span class="s">'''^tests/fixtures/'''</span><span class="p">,</span> <span class="s">'''^docs/examples/fake-credentials\.json$'''</span> <span class="p">]</span> </code></pre> </div> <p><strong>Rule:</strong> If a path needs a real secret for tests, use a vault-injected env var in CI—not a committed file with "fake" in the name and a real-looking key format.</p> <h2> Layer 2 — Pull request scan (merge gate) </h2> <p>The PR layer is your enforcement point. Scan <strong>only the PR diff</strong> so developers are not punished for historical debt on day one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Secret scan (PR)</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">pull-requests</span><span class="pi">:</span> <span class="s">write</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">gitleaks</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Gitleaks on PR diff</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">gitleaks/gitleaks-action@v2</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GITHUB_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">with</span><span class="pi">:</span> <span class="na">config-path</span><span class="pi">:</span> <span class="s">.gitleaks.toml</span> </code></pre> </div> <p>Configure branch protection: this check is required before the merge.</p> <p><strong>Fork PRs:</strong> <code>GITHUB_TOKEN</code> from forks is read-only; gitleaks-action still scans the diff but cannot comment with elevated permissions, acceptable for public repos; for private repos, consider org-level secret scanning (GitHub Advanced Security) as a parallel signal.</p> <h2> Layer 3 — Main branch and history (hygiene) </h2> <p>The default-branch layer catches historical debt and supply-chain surprises.<br> Run a weekly full-history scan:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Secret scan (history)</span> <span class="na">on</span><span class="pi">:</span> <span class="na">schedule</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">cron</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0</span><span class="nv"> </span><span class="s">6</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">1"</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">gitleaks-history</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">gitleaks/gitleaks-action@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">config-path</span><span class="pi">:</span> <span class="s">.gitleaks.toml</span> <span class="c1"># no PR context: full repo scan</span> </code></pre> </div> <p>When this fires on <code>main</code>, assume rotation: revoke the credential, purge from history (<code>git filter-repo</code> or BFG) only <strong>after</strong> revocation—scrubbing git without rotating the secret fixes nothing.</p> <h2> How to verify this works </h2> <p>Use these checks to confirm each layer is doing the right job:</p> <ol> <li> <strong>Pre-commit check:</strong> add a fake test secret string in a staged file and confirm <code>pre-commit</code> blocks the commit.</li> <li> <strong>PR gate check:</strong> Open a test pull request with the same string and confirm the workflow fails before merge.</li> <li> <strong>History scan check:</strong> run <code>workflow_dispatch</code> for the history workflow and confirm it scans the full repository.</li> <li> <strong>Allowlist check:</strong> Place the same test token in an allowlisted fixture path and confirm scanner behavior matches your policy.</li> </ol> <p>Use clearly fake values in tests and examples. Never use production-like secrets for scanner testing.</p> <h2> Reducing false positives without going blind </h2> <ol> <li> <strong>Allowlist paths, not regexes for "AWS"</strong> — Broad entropy exceptions hide real keys.</li> <li> <strong>Separate example keys:</strong> Use obviously invalid formats (<code>AKIAFAKE00000000000</code>) in docs; scanners and humans both win.</li> <li> <strong>Custom rules sparingly:</strong> Add org-specific patterns (internal API key prefix) via Gitleaks <code>[[rules]]</code>; do not fork the entire ruleset unless you can maintain it.</li> <li> <strong>Teach the escape hatch:</strong> If pre-commit blocks a docs change, fix the example, not <code>SKIP=gitleaks</code>.</li> </ol> <h2> When a secret is found anyway </h2> <ol> <li> <strong>Revoke</strong> in the provider (AWS, Stripe, Slack) immediately.</li> <li> <strong>Rotate</strong> dependent systems; assume compromise if the repo is public or the PR was open.</li> <li> <strong>Purge history</strong> if the secret touched git; coordinate with legal/comms if customer data access was possible.</li> <li> <strong>Post-incident:</strong> add a rule or allowlist fix so the same mistake is a one-liner next time.</li> </ol> <p>Pair this scanning pipeline with short-lived cloud credentials (for example, OIDC-based CI federation) so leaked CI identity material has reduced blast radius.</p> <h2> When this breaks down </h2> <ol> <li>Teams can bypass local hooks, so pre-commit cannot be your enforcement layer by itself.</li> <li>Diff-only PR scans do not catch existing secrets already in history, release assets, or external systems.</li> <li>Aggressive allowlists can silently reduce coverage if they are not reviewed during security change management.</li> <li>Scanner success can create false confidence if incident response, revocation, and rotation are weak.</li> </ol> <h2> Summary </h2> <ul> <li>Use three layers: pre-commit (speed), PR (gate), scheduled main (history).</li> <li>Share one <code>.gitleaks.toml</code>; allowlist paths, not categories of secrets.</li> <li>Block merge on PR findings; treat main-branch hits as incident + hygiene work.</li> <li>Rotation beats history rewriting; scanning is detection, not prevention alone.</li> </ul> <h2> Further reading </h2> <ul> <li><a href="https://github.com/gitleaks/gitleaks#configuration" rel="noopener noreferrer">Gitleaks configuration</a></li> <li><a href="https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning" rel="noopener noreferrer">GitHub secret scanning</a></li> <li><a href="https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository" rel="noopener noreferrer">Removing sensitive data from a repository</a></li> </ul> devsecops githubactions gitleaks secrets Amazon S3 Bucket Names Aren’t Always Globally Unique Anymore — Here’s What Changed (and Why I’m Excited) Ilyas Rufai Thu, 19 Mar 2026 11:54:35 +0000 https://dev.to/rufilboss/amazon-s3-bucket-names-arent-always-globally-unique-anymore-heres-what-changed-and-why-im-3a1f https://dev.to/rufilboss/amazon-s3-bucket-names-arent-always-globally-unique-anymore-heres-what-changed-and-why-im-3a1f <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F74tcw6c7amqslpu9mfz6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F74tcw6c7amqslpu9mfz6.png" alt="Global namespace" width="800" height="287"></a></p> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgj70v2rg5nh1b86zsuyc.png" alt="Account regional namespace" width="800" height="350"> </h2> <p>I still remember the first time S3 humbled me.</p> <p>I was following a “hello AWS” tutorial, feeling confident, and then S3 hit me with:</p> <blockquote> <p><strong>Bucket name already exists</strong></p> </blockquote> <p>I tried again. And again. And again.<br><br> Different names, different variations, still taken!</p> <p>That’s when I learned the “classic rule”:</p> <p><strong>S3 bucket names are globally unique</strong> (within an AWS partition).<br><br> Meaning: if someone anywhere already owns that bucket name, you can’t have it.</p> <p>But here’s the big update I recently learned, and it’s <em>huge</em> for builders, platform teams, and security folks:</p> <p><strong>Amazon S3 now supports creating general-purpose buckets inside an “account regional namespace”, which removes the “find a globally unique name” pain.</strong></p> <p>AWS announced this on <strong>Mar 12, 2026</strong>:<br> <code>https://aws.amazon.com/about-aws/whats-new/2026/03/amazon-s3-account-regional-namespaces/</code></p> <p>In this article, I’ll break down what changed, how it works, why it matters, and how I’d explain it if I were designing bucket naming at scale.</p> <h2> What used to be true (and is still true by default) </h2> <p>By default, <strong>general purpose buckets exist in a global namespace</strong>.</p> <p>AWS puts it plainly:</p> <ul> <li> <strong>“Each bucket name must be unique across all AWS accounts in all the AWS Regions within a partition.”</strong> Official docs: <code>https://docs.aws.amazon.com/AmazonS3/latest/userguide/gpbucketnamespaces.html</code> </li> </ul> <p>That means:</p> <ul> <li> <code>my-company-logs</code> can only exist once (in that partition).</li> <li>If the bucket is deleted, the name becomes available again — and someone else could recreate it later.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcwy76sxvn8ixkt227rjv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcwy76sxvn8ixkt227rjv.png" alt="Bucket already exists" width="799" height="265"></a></p> <h2> What changed: Account regional namespaces (Mar 2026) </h2> <p>AWS introduced a second option:</p> <p>You can now create a <strong>general purpose bucket</strong> in a namespace reserved only for your account:</p> <blockquote> <p><strong>“You can also choose to create a bucket in your account regional namespace. Your account regional namespace is a subdivision of the global namespace that only your account can create buckets in.”</strong><br><br> Official docs: <code>https://docs.aws.amazon.com/AmazonS3/latest/userguide/gpbucketnamespaces.html</code></p> </blockquote> <p>AWS also summarizes the “why” in the announcement:</p> <ul> <li>eliminates the need to find globally unique bucket names </li> <li>makes it easier to build workloads like “one bucket per customer/team/dataset” </li> <li>can be enforced using IAM policies/service control policies (SCPs) </li> </ul> <p>Announcement: <code>https://aws.amazon.com/about-aws/whats-new/2026/03/amazon-s3-account-regional-namespaces/</code></p> <p>The nuance I want to keep clear:</p> <ul> <li><strong>Global namespace is still the default</strong></li> <li>But now you have a <strong>reserved</strong> namespace you can opt into</li> </ul> <h2> How the naming looks (the new naming convention) </h2> <p>Buckets in your <strong>account regional namespace</strong> follow this naming pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>bucket-name-prefix-accountId-region-an </code></pre> </div> <p>Official example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>amzn-s3-demo-bucket-111122223333-us-west-2-an </code></pre> </div> <p>Source: <code>https://docs.aws.amazon.com/AmazonS3/latest/userguide/gpbucketnamespaces.html</code></p> <p>So instead of fighting to get:</p> <ul> <li><code>my-company-logs</code></li> </ul> <p>…you can choose a predictable prefix like:</p> <ul> <li><code>my-company-logs</code></li> </ul> <p>and the final name will include your account + region suffix that makes it unique <em>to you</em>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftb18tnn2rnv6102zmjs1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftb18tnn2rnv6102zmjs1.png" alt=" " width="800" height="182"></a></p> <h2> Why this matters (in real systems) </h2> <h3> 1) It kills the “I spent 20 minutes naming a bucket” problem </h3> <p>If you’ve ever created buckets for different environments, you know this loop:</p> <ul> <li> <code>myapp-prod-logs</code> (taken)</li> <li> <code>myapp-prod-logs-1</code> (taken)</li> <li> <code>myapp-prod-logs-2026</code> (taken)</li> <li> <code>myapp-prod-logs-&lt;random&gt;</code> (finally works, but now it’s ugly)</li> </ul> <p>Account regional namespaces support a much more predictable naming scheme.</p> <h3> 2) It reduces risk after deletion (a security win) </h3> <p>In the shared global namespace, once a bucket is deleted, the name becomes available again. Another account can recreate the name later and potentially receive requests intended for that name.</p> <p>Official docs: <code>https://docs.aws.amazon.com/AmazonS3/latest/userguide/gpbucketnamespaces.html</code></p> <p>In contrast, for account regional namespace buckets:</p> <ul> <li>Only your account can create buckets in that namespace</li> <li>Another account cannot recreate your account-regional bucket name</li> </ul> <p>Official docs: <code>https://docs.aws.amazon.com/AmazonS3/latest/userguide/gpbucketnamespaces.html</code></p> <h3> 3) It scales for bucket-per-customer / bucket-per-team designs </h3> <p>AWS explicitly calls out bucket-per-customer/team/dataset workloads in the announcement:</p> <p><code>https://aws.amazon.com/about-aws/whats-new/2026/03/amazon-s3-account-regional-namespaces/</code></p> <p>That’s a very modern SaaS/platform pattern, and it’s nice to see S3 making it easier to do it safely and predictably.</p> <h2> Creating an account-regional namespace bucket (AWS CLI) </h2> <p>The official docs show creating a bucket using the AWS CLI like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws s3api create-bucket <span class="se">\</span> <span class="nt">--bucket</span> amzn-s3-demo-bucket-012345678910-us-west-1-an <span class="se">\</span> <span class="nt">--bucket-namespace</span> account-regional <span class="se">\</span> <span class="nt">--region</span> us-west-1 <span class="se">\</span> <span class="nt">--create-bucket-configuration</span> <span class="nv">LocationConstraint</span><span class="o">=</span>us-west-1 </code></pre> </div> <p>Source: <code>https://docs.aws.amazon.com/AmazonS3/latest/userguide/gpbucketnamespaces.html</code></p> <blockquote> <p><strong>Note:</strong> Before you run the command, make sure your <code>aws cli</code> command is updated.</p> </blockquote> <h2> How I’d enforce this in an organization (IAM/SCP policy) </h2> <p>If I were working on a platform team, I’d want consistent naming and fewer security foot-guns. AWS provides a clean enforcement pattern using the condition key:</p> <ul> <li><code>s3:x-amz-bucket-namespace</code></li> </ul> <p>Here’s an example IAM policy from the docs that denies <code>s3:CreateBucket</code> unless the request is using <code>account-regional</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"RequireAccountRegionalBucketCreation"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:CreateBucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringNotEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"s3:x-amz-bucket-namespace"</span><span class="p">:</span><span class="w"> </span><span class="s2">"account-regional"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Source: <code>https://docs.aws.amazon.com/AmazonS3/latest/userguide/gpbucketnamespaces.html</code></p> <h2> Bucket naming rules (still important) </h2> <p>Even with namespaces, S3 bucket names still follow the general naming rules, like:</p> <ul> <li>3–63 characters </li> <li>lowercase letters, numbers, periods (<code>.</code>), and hyphens (<code>-</code>) only </li> <li>must start and end with a letter or number </li> <li>no two adjacent periods </li> <li>cannot look like an IP address </li> </ul> <p>Official rules: <code>https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html</code></p> <p>Also note:</p> <ul> <li> <code>-an</code> is reserved for account regional namespace buckets </li> <li>the account/regional suffix counts toward the 63-character limit </li> </ul> <p>Official docs: <code>https://docs.aws.amazon.com/AmazonS3/latest/userguide/gpbucketnamespaces.html</code></p> <h2> The mental model I use </h2> <p>This is how I explain it to myself:</p> <h3> Global namespace (default) </h3> <ul> <li>Like a global username system </li> <li>If someone owns it, you can’t use it </li> <li>If deleted, someone else might grab it later </li> </ul> <h3> Account regional namespace (new) </h3> <ul> <li>Like a reserved “username space” under <em>my account + my region</em> </li> <li>I still choose the prefix, but uniqueness is guaranteed by the suffix </li> <li>Another account can’t recreate my account-regional bucket name </li> </ul> <h2> Final takeaway </h2> <p>When I first learned S3 bucket names had to be globally unique, I accepted it as “just an AWS thing.”</p> <p>But account regional namespaces feel like AWS responding to how people actually build today: lots of environments, lots of teams, and a need for predictable and secure naming.</p> <p>If I’m building something new, I’d strongly consider defaulting new buckets to the account regional namespace — especially if naming conventions matter, or if I want to reduce the risk of name reuse after deletion.</p> <h2> References (official) </h2> <ul> <li>AWS announcement (Mar 12, 2026): <code>https://aws.amazon.com/about-aws/whats-new/2026/03/amazon-s3-account-regional-namespaces/</code> </li> <li>Namespaces for general purpose buckets: <code>https://docs.aws.amazon.com/AmazonS3/latest/userguide/gpbucketnamespaces.html</code> </li> <li>General purpose bucket naming rules: <code>https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html</code> </li> </ul> aws s3 cloud devops I built a zero-cost end-to-end DevOps pipeline (GitHub Actions + Docker + Kubernetes + Docker Hub) Ilyas Rufai Wed, 04 Mar 2026 11:27:47 +0000 https://dev.to/rufilboss/i-built-a-zero-cost-end-to-end-devops-pipeline-github-actions-docker-kubernetes-docker-hub-2g9n https://dev.to/rufilboss/i-built-a-zero-cost-end-to-end-devops-pipeline-github-actions-docker-kubernetes-docker-hub-2g9n <p>I just finished a small but <strong>real</strong> DevOps project and I want to share it in case you’re trying to build your own portfolio.</p> <p>The idea was simple: <strong>take a tiny app and wire the whole path from <code>git push</code> → CI/CD → container registry → Kubernetes</strong>, without paying for any cloud resources.</p> <p>You can grab the code here:</p> <ul> <li> <strong>GitHub repo</strong>: <code>https://github.com/rufilboss/devops-e2e-pipeline</code> </li> <li> <strong>Docker Hub image</strong>: <code>docker.io/asruf/demo-app:latest</code> </li> </ul> <h2> What I built (high level) </h2> <p>Concretely, the project contains:</p> <ul> <li> <strong>App</strong>: Tiny Flask API (<code>app/main.py</code>)</li> <li> <strong>Container</strong>: Dockerfile (<code>app/Dockerfile</code>)</li> <li> <strong>CI/CD</strong>: GitHub Actions workflow that builds and pushes images to <strong>Docker Hub</strong> (<code>.github/workflows/ci-cd.yaml</code>)</li> <li> <strong>Kubernetes</strong>: <code>Deployment</code> + <code>Service</code> (<code>k8s/*.yaml</code>)</li> <li> <strong>Terraform (optional)</strong>: creates the Kubernetes namespace (<code>terraform/*.tf</code>)</li> </ul> <p>Everything here runs <strong>for free</strong> on a local cluster (kind or minikube) and a free Docker Hub + GitHub account.</p> <h2> Prerequisites I used </h2> <p>To follow exactly what I did, you’ll want:</p> <ul> <li>Git + GitHub repo</li> <li>Docker</li> <li><code>kubectl</code></li> <li>One local Kubernetes option: <ul> <li> <strong>kind</strong> (what I used), or</li> <li><strong>minikube</strong></li> </ul> </li> <li>Terraform (optional, only for the IaC part)</li> <li>A <strong>Docker Hub</strong> account (I used mine <code>asruf</code>)</li> </ul> <h2> Project layout </h2> <p>This is the layout of the repo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>devops-e2e-pipeline/ ├── app │ ├── Dockerfile │ ├── main.py │ └── requirements.txt ├── k8s │ ├── namespace.yaml │ └── deployment.yaml ├── terraform │ ├── main.tf │ └── k8s.tf └── .github └── workflows └── ci-cd.yaml </code></pre> </div> <h2> 1) The app I used (simple Flask service) </h2> <p>I deliberately kept the app tiny so the focus is on the <strong>pipeline</strong>, not the code.</p> <p>It exposes:</p> <ul> <li> <code>/</code> — info about the service (name, version, env, status)</li> <li> <code>/health</code> — liveness</li> <li> <code>/ready</code> — readiness</li> </ul> <p><code>app/main.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">jsonify</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">VERSION</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">APP_VERSION</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">1.0.0</span><span class="sh">"</span><span class="p">)</span> <span class="n">ENV</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">ENV</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">dev</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">index</span><span class="p">():</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span> <span class="sh">"</span><span class="s">service</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">demo-app</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">:</span> <span class="n">VERSION</span><span class="p">,</span> <span class="sh">"</span><span class="s">env</span><span class="sh">"</span><span class="p">:</span> <span class="n">ENV</span><span class="p">,</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">,</span> <span class="p">})</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/health</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">health</span><span class="p">():</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">healthy</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">200</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/ready</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">ready</span><span class="p">():</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ready</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">200</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">app</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="sh">"</span><span class="s">0.0.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">8080</span><span class="p">)</span> </code></pre> </div> <p>Dependencies:</p> <p><code>app/requirements.txt</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>flask&gt;=3.0.0 </code></pre> </div> <p>The app listens on <strong>port 8080</strong>, which I re-use everywhere (Docker, Kubernetes, port-forward, etc.).</p> <h2> 2) Containerizing it with Docker </h2> <p>My Dockerfile is intentionally straightforward but shows some basic good practices:</p> <ul> <li>Slim base image</li> <li>Non-root user</li> <li>Requirements installed in their own layer</li> </ul> <p><code>app/Dockerfile</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="w"> </span><span class="s">python:3.12-slim</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">runtime</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">RUN </span>adduser <span class="nt">--disabled-password</span> <span class="nt">--gecos</span> <span class="s2">""</span> appuser <span class="k">COPY</span><span class="s"> requirements.txt .</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">--no-cache-dir</span> <span class="nt">-r</span> requirements.txt <span class="o">&amp;&amp;</span> pip freeze <span class="o">&gt;</span> requirements.lock <span class="k">COPY</span><span class="s"> main.py .</span> <span class="k">USER</span><span class="s"> appuser</span> <span class="k">EXPOSE</span><span class="s"> 8080</span> <span class="k">ENV</span><span class="s"> FLASK_APP=main.py</span> <span class="k">CMD</span><span class="s"> ["python", "-m", "flask", "run", "--host=0.0.0.0", "--port=8080"]</span> </code></pre> </div> <h3> Local sanity check </h3> <p>From the repo root:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>devops-e2e-pipeline docker build <span class="nt">-t</span> demo-app:local ./app docker run <span class="nt">--rm</span> <span class="nt">-p</span> 8080:8080 <span class="nt">--name</span> demo-app-test demo-app:local <span class="c"># In another terminal:</span> curl <span class="nt">-s</span> http://localhost:8080/health curl <span class="nt">-s</span> http://localhost:8080/ </code></pre> </div> <p>That gave me:</p> <ul> <li> <code>{"status": "healthy"}</code> from <code>/health</code> </li> <li> <code>{"env":"dev","service":"demo-app","status":"ok","version":"1.0.0"}</code> from <code>/</code> </li> </ul> <p>Once that worked, I moved on to Kubernetes.</p> <p>Here are the screenshots from my terminal while doing this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdz7asuyn8phgm8tz7piu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdz7asuyn8phgm8tz7piu.png" alt="Building the Docker image" width="799" height="196"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm6w172zyapvk1uyibduu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm6w172zyapvk1uyibduu.png" alt="Running the container locally" width="799" height="102"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi0uuxyouuk346jcxvb9a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi0uuxyouuk346jcxvb9a.png" alt="Health endpoint response" width="800" height="26"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flx7fl0934mpl26gn41mc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flx7fl0934mpl26gn41mc.png" alt="Root endpoint response" width="800" height="26"></a></p> <h2> 3) Running it on Kubernetes (kind or minikube) </h2> <p>I wanted a “real” deployment with:</p> <ul> <li>A dedicated namespace</li> <li>2 replicas</li> <li>Liveness/readiness probes</li> <li>Resource requests/limits</li> </ul> <h3> Starting a local cluster </h3> <p>You can use either tool; I used <strong>kind</strong>, but here are both options.</p> <p><strong>minikube:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>minikube start </code></pre> </div> <p><strong>kind:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kind create cluster <span class="nt">--name</span> demo </code></pre> </div> <p>Here’s what that looked like for me:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvdnjafp0jk4dxf1mmys8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvdnjafp0jk4dxf1mmys8.png" alt="kind create cluster output" width="799" height="147"></a></p> <h3> Making the image visible to the cluster </h3> <p>Kubernetes can’t automatically see <code>demo-app:local</code> unless you either:</p> <ul> <li>build inside the cluster’s Docker daemon (minikube), or</li> <li>load the image into kind.</li> </ul> <p><strong>Option A: minikube</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">eval</span> <span class="s2">"</span><span class="si">$(</span>minikube docker-env<span class="si">)</span><span class="s2">"</span> docker build <span class="nt">-t</span> demo-app:local ./app </code></pre> </div> <p><strong>Option B: kind</strong> (what I used):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">-t</span> demo-app:local ./app kind load docker-image demo-app:local <span class="nt">--name</span> demo </code></pre> </div> <p>And the <code>kind load</code> output:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpdbfv6dlehglwfn6cqo6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpdbfv6dlehglwfn6cqo6.png" alt="kind load docker-image output" width="800" height="26"></a></p> <h3> Kubernetes manifests I used </h3> <p>Namespace:</p> <p><code>k8s/namespace.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Namespace</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">demo-app</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">demo-app</span> </code></pre> </div> <p>Deployment + Service:</p> <p><code>k8s/deployment.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">demo-app</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">demo-app</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">demo-app</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="c1"># Local image for kind/minikube:</span> <span class="c1"># image: demo-app:local</span> <span class="c1"># Docker Hub image (asruf/demo-app) when using CI/CD:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker.io/asruf/demo-app:latest</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ENV</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">production"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">APP_VERSION</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.0.0"</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">50m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">64Mi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">200m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">128Mi</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/ready</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">3</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">demo-app</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">demo-app</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">demo-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">demo-app</span> </code></pre> </div> <h3> Applying and testing </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> k8s/namespace.yaml kubectl apply <span class="nt">-f</span> k8s/deployment.yaml kubectl get pods,svc <span class="nt">-n</span> demo-app kubectl port-forward <span class="nt">-n</span> demo-app svc/demo-app 8080:80 </code></pre> </div> <p>Then in another terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-s</span> http://localhost:8080/health curl <span class="nt">-s</span> http://localhost:8080/ready curl <span class="nt">-s</span> http://localhost:8080/ </code></pre> </div> <p>Here’s the <code>kubectl apply</code> / <code>kubectl get</code> snapshot:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkp1it3q5vhwkqt8b42ri.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkp1it3q5vhwkqt8b42ri.png" alt="kubectl apply/get output" width="799" height="126"></a></p> <p>And the port-forward:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F57pxhpz1syi1jw50frhy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F57pxhpz1syi1jw50frhy.png" alt="kubectl port-forward output" width="800" height="58"></a></p> <p>At this point, I had the app running as <strong>2 replicas in a local cluster</strong>, fronted by a Service, with working probes.</p> <h2> 4) Pushing to Docker Hub </h2> <p>My Docker Hub username is <strong><code>asruf</code></strong>. I first pushed manually to make sure everything worked:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker tag demo-app:local asruf/demo-app:latest docker push asruf/demo-app:latest </code></pre> </div> <p>After that, the image was available at:</p> <ul> <li><code>docker.io/asruf/demo-app:latest</code></li> </ul> <p>That’s the image the Kubernetes manifest uses by default in this repo.</p> <h2> 5) CI/CD with GitHub Actions → Docker Hub </h2> <p>I wanted the pipeline to:</p> <ul> <li>Build the image on every push / PR</li> <li>Push to Docker Hub on pushes (not PRs)</li> <li>Tag images with: <ul> <li>the commit SHA</li> <li> <code>latest</code> (for the default branch)</li> </ul> </li> </ul> <p>The workflow is at <code>./.github/workflows/ci-cd.yaml</code>.</p> <h3> Docker Hub secrets </h3> <p>In my GitHub repo I created 2 <strong>Actions secrets</strong>:</p> <ul> <li> <code>DOCKERHUB_USERNAME</code> — <code>asruf</code> </li> <li> <code>DOCKERHUB_TOKEN</code> — a Docker Hub access token</li> </ul> <p>You can find these in:</p> <blockquote> <p>GitHub repo → Settings → Secrets and variables → Actions</p> </blockquote> <h3> What the workflow does </h3> <p>High level:</p> <ul> <li>Check out code</li> <li>Set up Buildx</li> <li>Log in to Docker Hub with <code>DOCKERHUB_USERNAME</code> + <code>DOCKERHUB_TOKEN</code> </li> <li>Build the Docker image from <code>./app</code> </li> <li>Tag it with SHA + <code>latest</code> </li> <li>Push to <code>docker.io/asruf/demo-app</code> </li> </ul> <p>So every push to <code>main</code> automatically gives me a fresh image on Docker Hub, ready for Kubernetes.</p> <h2> 6) Optional: Terraform for the namespace </h2> <p>I also wanted at least one <strong>Infrastructure as Code</strong> piece in here, so I used Terraform’s Kubernetes provider to create the namespace.</p> <p><code>terraform/main.tf</code> (provider + versions) and <code>terraform/k8s.tf</code> (namespace resource) are already in the repo.</p> <p>If your <code>~/.kube/config</code> points at a running cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>terraform terraform init terraform plan terraform apply </code></pre> </div> <p>This is small on purpose, but it’s enough to say <strong>“I manage part of the Kubernetes infrastructure with Terraform”</strong>.</p> <p>Here’s what my <code>terraform init</code> + <code>terraform plan</code> looked like:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F58cvarz0c17dkp5sahw2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F58cvarz0c17dkp5sahw2.png" alt="Terraform init/plan output" width="800" height="453"></a></p> <h2> 7) How can you reuse this </h2> <p>If you want to adapt this project for yourself:</p> <ul> <li>Fork the repo or copy the layout</li> <li>Change the <strong>Docker Hub</strong> username and repo name</li> <li>Update: <ul> <li> <code>k8s/deployment.yaml</code> <code>image:</code> field</li> <li>GitHub Actions secrets (<code>DOCKERHUB_USERNAME</code>, <code>DOCKERHUB_TOKEN</code>)</li> </ul> </li> <li>Swap the Flask app for your own service if you like</li> </ul> <p>The nice part is that the pattern stays the same:</p> <blockquote> <p><strong>App → Docker → Docker Hub → Kubernetes → (optional) Terraform</strong></p> </blockquote> <p>Once this pipeline is in your portfolio, you can honestly tell people:</p> <blockquote> <p>“I’ve built and maintained an end-to-end CI/CD pipeline with GitHub Actions, Docker, Kubernetes, Docker Hub, and Terraform. Here’s the repo and here’s the running app.”</p> </blockquote> <h2> Final thoughts </h2> <p>This project is small, but it touches a lot of the buzzwords you see in job posts and freelance gigs:</p> <ul> <li>GitHub Actions</li> <li>Docker</li> <li>Docker Hub</li> <li>Kubernetes</li> <li>Terraform</li> </ul> <p>If you’re trying to break into DevOps or just want something concrete to show, feel free to <strong>clone my <a href="https://github.com/rufilboss/devops-e2e-pipeline" rel="noopener noreferrer">repo</a>, run it locally, and then customize it</strong> to match your own style and stack.</p> devops cicd docker kubernetes Are You Planning to Get Into DevOps in 2026? A Practical Guide for the Real World Ilyas Rufai Wed, 24 Dec 2025 21:57:09 +0000 https://dev.to/rufilboss/are-you-planning-to-get-into-devops-in-2026-a-practical-guide-for-the-real-world-3blb https://dev.to/rufilboss/are-you-planning-to-get-into-devops-in-2026-a-practical-guide-for-the-real-world-3blb <p>It’s <strong>December 2025</strong>, almost January 2026, and if you’re asking yourself <em>“Should I start DevOps now?”</em> Then this article is for you.</p> <p>Not because DevOps is <em>trending</em> (it is, most companies now practice DevOps workflows and advanced automation standards), but because the <em>demand for real DevOps skill — not surface-level tool knowledge —</em> is only going to grow faster in the AI-augmented era we’re entering.</p> <h2> Why Now is the Right Time (But Also the Hardest Time) </h2> <p>Over the last five years, DevOps has shifted from pure automation to <strong>intelligent automation</strong>:</p> <ul> <li>GitOps — treating Git as the <em>single source of truth</em> for infrastructure and app deployments — is becoming mainstream.</li> <li>Cloud-native, serverless, and event-driven designs are reshaping how systems are built.</li> <li>AI is now embedded in pipelines, observability, and even predictive deployments, automating decisions that used to require senior engineers.</li> </ul> <p>The payoff? Teams deploy faster, with fewer errors, and automation frees engineers from repetitive toil.<br> The catch? <strong>AI can mask gaps in understanding.</strong> You can have something running and still not know <em>why</em> it runs, and that’s where most beginners crash.⁣</p> <p>In 2026, <em>DevOps without deep fundamentals</em> is like driving a car you can’t fix when it breaks.</p> <h2> What Works (Based on Real Industry Signals) </h2> <p>Here’s what industry trends say about DevOps evolution:</p> <ul> <li> <strong>GitOps adoption</strong> is expected to grow sharply, improving reliability and consistency.</li> <li> <strong>DevSecOps</strong> — embedding security into every pipeline is essential, not optional.</li> <li> <strong>Observers and AI-powered observability tools</strong> help engineers find problems before they hit users.</li> <li> <strong>Serverless pipelines</strong> are reshaping how we think about infrastructure abstraction and event wiring.</li> </ul> <p>These aren’t buzzwords; they are what you’ll see in job descriptions, production systems, and real-world infrastructure teams.</p> <h2> But First — A Reality Check </h2> <p>Before we talk tools: DevOps is <strong>not a checklist</strong> of technologies. It’s a <em>cultural and engineering mindset</em> rooted in:</p> <ul> <li>Continuous Delivery</li> <li>Automated, high-confidence pipelines</li> <li>Reproducible infrastructure</li> <li>Collaboration between development and operations</li> </ul> <p>AI will help you generate configs, but it <strong>won’t give you intuition</strong> around:</p> <ul> <li>Why a pipeline failed</li> <li>How a Kubernetes pod behaves under pressure</li> <li>What happens when your Terraform state drifts</li> <li>Why observability matters more than logging</li> </ul> <p>That intuition is what separates <em>copy-paste</em> from <em>craftsmanship</em>.</p> <h2> The Practical DevOps Path </h2> <p>Here’s how you should think about your journey if you’re starting <strong>now</strong>:</p> <h3> 1. Master Linux and Command Line </h3> <p>Everything in DevOps runs on CLI, shells, permissions, networking, logs, and processes. Your laptop is your first “cluster.”<br> If you can’t diagnose why SSH fails, nothing else will help.</p> <p>In 2026, this fundamental still underpins container workloads, cloud instances, observability agents, and automation scripts.</p> <h3> 2. Scripting &amp; Automation </h3> <p>If you automate only once manually, that’s already DevOps:</p> <ul> <li>Bash/Python/Go for straightforward automation</li> <li>Tools like Make, just to organize tasks</li> <li>A mindset of <em>automate early, fix once</em> </li> </ul> <p>AI can <em>suggest scripts</em> — but always read and refactor them yourself.</p> <h3> 3. Containers &amp; Microservices </h3> <p>Docker, Kubernetes, and sidecar architectures aren’t going anywhere.<br> These technologies form the backbone of cloud-native systems and service distribution.</p> <p>Remember:</p> <blockquote> <p>Docker makes shipping easier; Kubernetes makes scaling easier —<br> you still need to know <em>what each component does</em>.</p> </blockquote> <h3> 4. Real Cloud Practice (Practically) </h3> <p>Cloud isn’t just AWS, Azure, or GCP; it’s <em>how production systems run</em>. AI-native cloud services are replacing old workloads, and multi-cloud/hybrid strategies are increasingly popular.</p> <p>Instead of incurring huge bills while you learn, consider tools like <strong>LocalStack</strong> (<a href="https://github.com/localstack/localstack" rel="noopener noreferrer">https://github.com/localstack/localstack</a>) — it lets you <em>practice cloud APIs locally</em> without risk. That’s real hands-on learning.</p> <h3> 5. CI/CD and Beyond (From Commit to Deployment) </h3> <p>This is where theory intersects practice.</p> <p>You won’t just be writing pipelines, you treat them like <strong>policies</strong>:</p> <ul> <li>Automated testing</li> <li>Security scanning</li> <li>Version-controlled provisioning</li> <li>Fast rollback strategies</li> </ul> <p>In 2026, AI isn’t replacing CI/CD engineers, it’s <em>augmenting</em> them via smart predictions and autonomous decision loops.</p> <h3> 6. Security &amp; Resilience </h3> <p>DevSecOps is now standard practice:<br> Security checks must happen <em>before</em> deployments, not after!</p> <p>You need broad fluency with:</p> <ul> <li>Secrets management (Vault, AWS Secrets Manager)</li> <li>Policy as code (OPA, Kyverno)</li> <li>Automated vulnerability scanning</li> </ul> <p>Security is not a separate discipline; it’s a microbial process embedded throughout your pipelines.</p> <h2> How AI Helps (And When It Hurts) </h2> <h3> ✔️ Where AI Adds Massive Value </h3> <ul> <li>Generating boilerplate Terraform/CI/CD</li> <li>Explaining error logs in clear language</li> <li>Offering alternative solutions fast</li> <li>Flagging potential configuration problems early</li> </ul> <h3> ❌ Where AI Can Mislead </h3> <ul> <li>Blindly copying code without understanding it</li> <li>Masking architectural tradeoffs</li> <li>Assuming generated configs are optimal</li> <li>Trusting AI output without testing it thoroughly</li> </ul> <p><strong>Rule of thumb:</strong><br> If AI helps you <em>understand</em> a solution — it’s good.<br> If it only helps you <em>run</em> a solution — it’s dangerous.</p> <h2> These Resources Will Accelerate Your Journey </h2> <p>You might find these extremely useful:</p> <p>🔗 <strong>100 Days of DevOps</strong> — a proven, hands-on progression:<br> <a href="https://github.com/rufilboss/100DaysOfDevOps" rel="noopener noreferrer">https://github.com/rufilboss/100DaysOfDevOps</a></p> <p>🔗 <strong>DevOps Guide (fork &amp; extend it):</strong><br> <a href="https://github.com/rufilboss/DevOps-Guide/" rel="noopener noreferrer">https://github.com/rufilboss/DevOps-Guide/</a></p> <p>🔗 <strong>DevOps Books curated by the community:</strong><br> <a href="https://github.com/DevOps-Projects-Ideas/DevOps-Books/" rel="noopener noreferrer">https://github.com/DevOps-Projects-Ideas/DevOps-Books/</a><br> (500+ stars | 270+ forks — real community validation)</p> <p>🔗 <strong>Cloud infrastructure local practice (Low cost/no risk):</strong><br> <a href="https://github.com/localstack/localstack" rel="noopener noreferrer">https://github.com/localstack/localstack</a></p> <p>These are not ads, they are <strong>battle-tested resources</strong> used by beginners and pros alike.</p> <h2> The Real Takeaway </h2> <p>DevOps in 2026 is not <em>just another career</em>.<br> It’s about <strong>thinking in systems</strong>, not tools.</p> <p>AI will let you <em>explore more</em>, but only fundamentals will let you <em>master more</em>.</p> <p>You don’t need to learn everything today, but you do need to build <strong>confidence through repetition, testing, failure, and curiosity</strong>.</p> <p>If you’re ready to dive in, you’re already ahead of the crowd.</p> devops beginners ai cloud A Practical Guide to Organizing an AWS Community Day (From Scratch) Ilyas Rufai Tue, 23 Dec 2025 11:59:50 +0000 https://dev.to/rufilboss/a-practical-guide-to-organizing-an-aws-community-day-from-scratch-1ao4 https://dev.to/rufilboss/a-practical-guide-to-organizing-an-aws-community-day-from-scratch-1ao4 <h2> What is AWS Community Day? </h2> <p>AWS Community Day is a <strong>one-day, community-led conference</strong> organized by AWS communities such as AWS User Groups or AWS Cloud Clubs. It brings cloud practitioners, students, and enthusiasts together to learn, network, and share real-world AWS knowledge.</p> <p>Community Days range from:</p> <ul> <li>Large, multi-country events (e.g., AWS Community Day DACH)</li> <li>To smaller, single-community events organized by one User Group or Cloud Club</li> </ul> <p>This guide documents <strong>what it takes to plan, organize, and execute an AWS Community Day successfully</strong>, especially if you’re doing it for the <strong>first time</strong>.</p> <h2> Phase 1: Foundations (Before Anything Else) </h2> <h3> 1. Define Your Scope </h3> <p>Before tools, sponsors, or speakers, be clear on:</p> <ul> <li> <strong>Target audience:</strong> students, professionals, beginners, mixed?</li> <li> <strong>Event size goal:</strong> (e.g. 1000–1500 attendees)</li> <li> <strong>Event type:</strong> free or paid</li> <li> <strong>Location:</strong> city, campus, venue type</li> </ul> <p>📌 <em>Placeholder:</em></p> <blockquote> <p>Expected attendees: ___<br> Target audience: ___<br> City/Campus: ___</p> </blockquote> <h3> 2. Official AWS Alignment (Very Important) </h3> <h4> AWS Community Day Page </h4> <p>Start here:<br> 👉 <a href="https://aws.amazon.com/developer/community/community-day/" rel="noopener noreferrer">https://aws.amazon.com/developer/community/community-day/</a></p> <p>This page explains:</p> <ul> <li>What qualifies as an AWS Community Day</li> <li>Branding rules</li> <li>FAQs</li> <li>Organizer expectations</li> </ul> <h4> AWS Organizer Slack </h4> <p>Join the <strong><code>community-day-organizers</code></strong> Slack channel.<br> This is critical for:</p> <ul> <li>Avoiding date clashes in the same region</li> <li>Learning from other organizers</li> <li>Funding guidance</li> <li>Shared templates and experiences</li> </ul> <h2> Phase 2: Online Presence &amp; Registration </h2> <h3> 3. Event Website </h3> <p>You will need a simple website containing:</p> <ul> <li>Event details</li> <li>Agenda</li> <li>Speakers</li> <li>Registration link</li> <li>Sponsors</li> </ul> <p>Options:</p> <ul> <li>Build your own</li> <li>Use a template (e.g. Hugo-based AWS Community Day templates)</li> </ul> <p>📌 <em>Placeholder:</em></p> <blockquote> <p>Website URL: ___</p> </blockquote> <h3> 4. Registration </h3> <p>Common tools:</p> <ul> <li>Eventbrite</li> <li>Google Forms</li> <li>Konfhub</li> <li>Other ticketing platforms</li> </ul> <p>Choose one that:</p> <ul> <li>Handles attendee limits</li> <li>Exports attendee data</li> <li>Supports QR codes (nice bonus)</li> </ul> <p>📌 <em>Placeholder:</em></p> <blockquote> <p>Registration platform: ___</p> </blockquote> <h3> 5. Call for Speakers (CfS) </h3> <p>You’ll need speakers early.</p> <p>Tools:</p> <ul> <li>Sessionize</li> <li>Google Forms</li> </ul> <p>Collect:</p> <ul> <li>Topic title</li> <li>Abstract</li> <li>Speaker bio</li> <li>Preferred time slot</li> <li>Session level (Beginner / Intermediate / Advanced)</li> </ul> <p>📌 <em>Placeholder:</em></p> <blockquote> <p>CfS link: ___<br> Submission deadline: ___</p> </blockquote> <h2> Phase 3: AWS Support &amp; Resources </h2> <h3> 6. AWS-Provided Materials </h3> <p>AWS provides downloadable assets that help a lot:</p> <ul> <li>Logos</li> <li>Fonts</li> <li>Slide templates</li> <li>Organizer resources</li> </ul> <p>Look for:</p> <ul> <li><strong>UG Toolkit / Community Toolkit</strong></li> </ul> <h3> 7. Funding (Yes, It’s Possible 💵) </h3> <p>AWS may provide <strong>financial or material support</strong> depending on:</p> <ul> <li>Event size</li> <li>Community maturity</li> <li>Region</li> </ul> <p>Funding requests are usually discussed in:</p> <ul> <li>AWS organizer Slack</li> <li>Via AWS Community contacts</li> </ul> <p>📌 <em>Placeholder:</em></p> <blockquote> <p>Funding requested? Yes / No<br> Amount / type: ___</p> </blockquote> <h2> Phase 4: Planning the Actual Event </h2> <h3> 8. Attendee Estimation (Be Realistic) </h3> <p>Estimating attendance is tricky.</p> <p>Consider:</p> <ul> <li>Size of your community</li> <li>Average meetup attendance</li> <li>Travel distance</li> <li>Marketing reach</li> <li>Exam periods / holidays</li> </ul> <p>Rule of thumb:</p> <blockquote> <p>Expect less → Be pleasantly surprised later</p> </blockquote> <p>Also expect <strong>last-minute registrations</strong>.</p> <h3> 9. Venue Selection </h3> <p>Choose a venue that:</p> <ul> <li>Can scale up or down</li> <li>Supports multiple rooms</li> <li>Has reliable power &amp; internet</li> </ul> <p>Minimum rooms:</p> <ul> <li>Main session room(s)</li> <li>Speakers’ room</li> <li>Storage / quiet room</li> </ul> <p>📌 <em>Tip:</em><br> Sponsors/expo area should be <strong>where attendees naturally pass</strong>, not isolated.</p> <h3> 10. Catering </h3> <p>Keep it simple:</p> <ul> <li>Snacks</li> <li>Lunch</li> <li>Drinks</li> </ul> <p>Don’t forget:</p> <ul> <li>Speakers’ room refreshments</li> </ul> <p>📌 <em>Placeholder:</em></p> <blockquote> <p>Catering plan: ___</p> </blockquote> <h3> 11. Tracks &amp; Agenda Design </h3> <p>Less is more.</p> <p>Avoid:</p> <ul> <li>Too many parallel tracks</li> <li>Overlapping highly attractive sessions</li> </ul> <p>Recommended format (per session):</p> <ul> <li>30 min talk</li> <li>15 min Q&amp;A</li> <li>15 min break / expo</li> </ul> <h4> Sample Agenda </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>08:00 – Registration 09:00 – Opening Remarks 09:15 – Keynote 10:00 – Break / Expo 10:30 – Session Slot 1 11:30 – Session Slot 2 12:30 – Lunch 13:30 – Session Slot 3 14:30 – Session Slot 4 15:30 – Break 16:00 – Final Session 16:30 – Closing </code></pre> </div> <h3> 12. Speakers </h3> <p>Aim for balance:</p> <ul> <li>AWS employees</li> <li>Community speakers</li> <li>First-time speakers</li> <li>Local &amp; external speakers</li> </ul> <p>Always ask:</p> <ul> <li>Preferred speaking time</li> <li>Travel needs</li> <li>Slide sharing permission</li> </ul> <h3> 13. Free vs Paid Event </h3> <p><strong>Free Event</strong></p> <ul> <li>Higher no-shows</li> <li>More inclusive</li> </ul> <p><strong>Paid Event</strong></p> <ul> <li>Fewer no-shows</li> <li>More admin (tax, accounting)</li> </ul> <p>Choose what fits your context.</p> <h2> Phase 5: Marketing &amp; Sponsors </h2> <h3> 14. Marketing (Don’t Underestimate This) </h3> <p>Channels to use:</p> <ul> <li>WhatsApp groups</li> <li>LinkedIn</li> <li>Twitter/X</li> <li>Campus clubs</li> <li>Word of mouth</li> <li>Sponsors’ channels</li> </ul> <p>Start early.</p> <h3> 15. Sponsors </h3> <p>Sponsors fund your event.</p> <p>Prepare:</p> <ul> <li>Clear sponsorship packages</li> <li>Benefits list (booth, logo, talk, etc.)</li> <li>Venue layout</li> <li>Simple agreement</li> </ul> <p>Some sponsors may qualify for <strong>AWS MDF funding</strong>.</p> <p>📌 <em>Placeholder:</em></p> <blockquote> <p>Sponsor tiers: ___<br> Confirmed sponsors: ___</p> </blockquote> <h2> Phase 6: Operations &amp; Logistics </h2> <h3> 16. Organizing Team </h3> <p>Small teams can work:</p> <ul> <li>2–5 core organizers</li> <li>Clear roles (logistics, speakers, sponsors, media)</li> </ul> <h3> 17. Volunteers </h3> <p>Volunteers help with:</p> <ul> <li>Registration</li> <li>Directions</li> <li>Speaker support</li> </ul> <p>Tip:</p> <blockquote> <p>Ask sponsors if they can assign volunteers.</p> </blockquote> <h3> 18. Badges, Lanyards &amp; Printing </h3> <p>Decide:</p> <ul> <li>Pre-printed vs on-site printing</li> <li>Badge color coding (Organizers, Speakers, Sponsors, Attendees)</li> </ul> <p>Reusable materials save money long-term.</p> <h2> Phase 7: Communication &amp; Experience </h2> <h3> 19. Communication Channels </h3> <p>Recommended:</p> <ul> <li>Slack (organizers + speakers)</li> <li>WhatsApp (organizers + volunteers)</li> <li>WhatsApp (real-time event coordination)</li> </ul> <h3> 20. Speaker Slides &amp; Content </h3> <p>Attendees often ask for slides.</p> <p>Before the event:</p> <ul> <li>Ask speakers if slides can be shared After the event:</li> <li>Upload to website or shared drive</li> </ul> <h3> 21. Speaker Dinner (Highly Recommended) </h3> <p>If budget allows:</p> <ul> <li>Host a speaker dinner</li> <li>Builds relationships</li> <li>Improves speaker experience</li> </ul> <h2> Reality Check 😅 </h2> <p>People will:</p> <ul> <li>Complain</li> <li>Ask last-minute questions</li> <li>Need help</li> </ul> <p>This is normal. Expect it.</p> <h2> Final Thoughts </h2> <p>Organizing an AWS Community Day is:</p> <ul> <li><strong>Hard work</strong></li> <li><strong>Time-consuming</strong></li> <li><strong>Extremely rewarding</strong></li> </ul> <p>From idea to execution, expect <strong>months of planning</strong>.</p> <p>If you’re thinking about doing it:</p> <blockquote> <p><strong>Yes — do it.</strong><br> The impact on your community is worth it.</p> </blockquote> aws awscloud cloudcomputing awscommunityday