<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Soumya Ranjan 🎖️</title>
    <description>The latest articles on DEV Community by Soumya Ranjan 🎖️ (@srsoumyax11).</description>
    <link>https://dev.to/srsoumyax11</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1962149%2Fa1c602b5-e2ae-47ee-9798-5c7e7df7abd0.jpg</url>
      <title>DEV Community: Soumya Ranjan 🎖️</title>
      <link>https://dev.to/srsoumyax11</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/srsoumyax11"/>
    <language>en</language>
    <item>
      <title>Pixel &amp; Spoon Hands-On: Connecting to Your EC2 Instance 🔌</title>
      <dc:creator>Soumya Ranjan 🎖️</dc:creator>
      <pubDate>Tue, 14 Jul 2026 12:33:04 +0000</pubDate>
      <link>https://dev.to/srsoumyax11/pixel-spoon-hands-on-connecting-to-your-ec2-instance-46l6</link>
      <guid>https://dev.to/srsoumyax11/pixel-spoon-hands-on-connecting-to-your-ec2-instance-46l6</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Chapter 5.1 — Hands-on companion to Chapter 5: EC2 — Your First Server in the Cloud. Your instance is running. Now let's actually get inside it.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  Four Doors, One Server
&lt;/h2&gt;

&lt;p&gt;When Aarav clicks the &lt;strong&gt;Connect&lt;/strong&gt; button on his running EC2 instance, AWS shows him something that surprises most beginners.&lt;/p&gt;

&lt;p&gt;Not one way to connect. &lt;strong&gt;Four.&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;○ EC2 Instance Connect
○ Session Manager
○ SSH Client
○ EC2 Serial Console
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Each one is a different door into the same server. Different requirements, different use cases, different levels of security.&lt;/p&gt;

&lt;p&gt;Pick the wrong one and you'll spend 20 minutes wondering why it isn't working.&lt;/p&gt;

&lt;p&gt;Let's go through each one — what it is, when to use it, and how.&lt;/p&gt;




&lt;h2&gt;
  
  
  🚪 Door 1 — EC2 Instance Connect ✅ Start Here
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;What it is:&lt;/strong&gt;&lt;br&gt;
Connect directly from your browser. No terminal. No key file. No software to install. AWS handles authentication automatically.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;✅ Amazon Linux 2023 or Ubuntu (which we're using)
✅ Instance must have a public IP
✅ Port 22 open in your security group
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;How to connect:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 1&lt;/strong&gt; — In the EC2 console, select your instance → click the &lt;strong&gt;Connect&lt;/strong&gt; button at the top.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fnk7lydufxo39mvx621ff.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fnk7lydufxo39mvx621ff.png" alt="EC2 console instance screenshot image" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 2&lt;/strong&gt; — Make sure you're on the &lt;strong&gt;EC2 Instance Connect&lt;/strong&gt; tab.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 3&lt;/strong&gt; — Username should already say &lt;code&gt;ec2-user&lt;/code&gt; — leave it as is.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 4&lt;/strong&gt; — Click &lt;strong&gt;Connect&lt;/strong&gt;.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Flyw57f2cdhhavgpxmiyo.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Flyw57f2cdhhavgpxmiyo.png" alt="EC2 Instance Connect AWS image" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;A terminal opens right in your browser. You're inside Aarav's server.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fqn7w9z1kh23p8qn3c3kz.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fqn7w9z1kh23p8qn3c3kz.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;br&gt;
&lt;strong&gt;Best for:&lt;/strong&gt; Beginners, quick access, one-off tasks, anyone who doesn't want to deal with key files right now.&lt;/p&gt;

&lt;p&gt;This is what we recommend for following along with this series.&lt;/p&gt;
&lt;h2&gt;
  
  
  Some basic commands you can try on it
&lt;/h2&gt;


&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Check the OS version&lt;/span&gt;
&lt;span class="nb"&gt;cat&lt;/span&gt; /etc/os-release

&lt;span class="c"&gt;# Check the hostname&lt;/span&gt;
&lt;span class="nb"&gt;hostname&lt;/span&gt;

&lt;span class="c"&gt;# Check the current user&lt;/span&gt;
&lt;span class="nb"&gt;whoami&lt;/span&gt;

&lt;span class="c"&gt;# Check the current directory&lt;/span&gt;
&lt;span class="nb"&gt;pwd&lt;/span&gt;

&lt;span class="c"&gt;# List files in the current directory&lt;/span&gt;
&lt;span class="nb"&gt;ls&lt;/span&gt; &lt;span class="nt"&gt;-la&lt;/span&gt;

&lt;span class="c"&gt;# resource usage&lt;/span&gt;
top

&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  🚪 Door 2 — SSH Client — The Classic Way
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;What it is:&lt;/strong&gt;&lt;br&gt;
Connect from your own terminal using the &lt;code&gt;.pem&lt;/code&gt; key file you downloaded when launching the instance. More control, works from anywhere, preferred by most developers once they get comfortable.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;✅ Your pixelspoon-key.pem file (downloaded in Ch 05)
✅ Terminal — Mac/Linux uses built-in Terminal
              Windows uses PowerShell or PuTTY
✅ Port 22 open in security group
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;How to connect:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 1&lt;/strong&gt; — Open your terminal and navigate to where your &lt;code&gt;.pem&lt;/code&gt; file is saved.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 2&lt;/strong&gt; — Set the correct permissions on the key file:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;chmod &lt;/span&gt;400 pixelspoon-key.pem
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;blockquote&gt;
&lt;p&gt;💡 &lt;code&gt;chmod 400&lt;/code&gt; makes the file read-only for you, and blocks access for everyone else. SSH refuses to run if your private key can be read by other users on your machine — it's a deliberate security check. Skip this step and you'll get a "WARNING: UNPROTECTED PRIVATE KEY FILE" error.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;strong&gt;Step 3&lt;/strong&gt; — Connect using your instance's public IP:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;ssh &lt;span class="nt"&gt;-i&lt;/span&gt; &lt;span class="s2"&gt;"pixelspoon-key.pem"&lt;/span&gt; ec2-user@YOUR_PUBLIC_IP
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Find your public IP in the EC2 console — it's listed under &lt;strong&gt;Public IPv4 address&lt;/strong&gt; on your instance details page. In Aarav's case: &lt;code&gt;3.110.196.57&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;So his command looks like:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;ssh &lt;span class="nt"&gt;-i&lt;/span&gt; &lt;span class="s2"&gt;"pixelspoon-key.pem"&lt;/span&gt; ec2-user@3.110.196.57
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Step 4&lt;/strong&gt; — The first time you connect, SSH will ask:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Are you sure you want to continue connecting (yes/no/[fingerprint])?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Type &lt;code&gt;yes&lt;/code&gt; and press Enter. This is normal — SSH is verifying the server's identity for the first time.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Best for:&lt;/strong&gt; Developers who prefer working in their own terminal, automation scripts, repeated connections.&lt;/p&gt;




&lt;h2&gt;
  
  
  🚪 Door 3 — SSM Session Manager — No Open Ports
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;What it is:&lt;/strong&gt;&lt;br&gt;
Connect without opening port 22 at all. AWS Systems Manager creates a secure tunnel through AWS's own internal network — your connection never touches the public internet.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;✅ SSM Agent installed (pre-installed on Amazon Linux 2023)
✅ IAM role with SSM permissions attached to the instance
✅ No open ports needed — not even port 22
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Why this matters:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Every open port is a potential attack surface. Port 22 is the most targeted port on the internet — bots scan for it constantly and attempt brute force logins 24/7.&lt;/p&gt;

&lt;p&gt;SSM Session Manager eliminates that attack surface entirely. No port open, nothing to scan, nothing to brute force.&lt;/p&gt;

&lt;p&gt;This is the connection method used in production environments by teams that take security seriously.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How to set it up:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;For SSM to work, your EC2 instance needs an IAM role with the &lt;code&gt;AmazonSSMManagedInstanceCore&lt;/code&gt; policy attached. Remember IAM roles from Chapter 4.4? This is exactly that pattern — a service role for EC2.&lt;/p&gt;

&lt;p&gt;We'll set this up properly in Chapter 6 when we cover IAM roles for EC2 instances. For now — know it exists, know it's the professional standard, and come back to it then.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Best for:&lt;/strong&gt; Production servers, instances without public IPs, security-conscious setups, teams that want zero open ports.&lt;/p&gt;




&lt;h2&gt;
  
  
  🚪 Door 4 — EC2 Serial Console — The Emergency Exit
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;What it is:&lt;/strong&gt;&lt;br&gt;
Connects at the hardware level, bypassing the operating system entirely. Works even when the OS won't boot, the network is down, or the instance is completely unresponsive.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;✅ Must be enabled at the AWS account level first
✅ Password-based auth must be configured on the instance
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;When you'd use it:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;You won't need this often. Hopefully never.&lt;/p&gt;

&lt;p&gt;But imagine this: Aarav pushes a bad config change that breaks networking on the server. The instance is running, but SSH times out, Instance Connect fails, SSM can't reach it. Everything is broken.&lt;/p&gt;

&lt;p&gt;The Serial Console is the emergency override — the master key that works when all the normal doors are locked. It connects before the OS even finishes loading.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Best for:&lt;/strong&gt; Debugging broken instances, recovering from misconfigurations, instances that won't respond to anything else.&lt;/p&gt;




&lt;h2&gt;
  
  
  🧭 Which One Should You Use?
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Just starting out / following this series   →  EC2 Instance Connect
Prefer your own terminal environment        →  SSH Client
Production server, security-first           →  SSM Session Manager
Instance is broken and won't respond        →  EC2 Serial Console
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;For Pixel &amp;amp; Spoon right now — &lt;strong&gt;EC2 Instance Connect&lt;/strong&gt;. Zero setup, works immediately, gets you inside in under 30 seconds.&lt;/p&gt;




&lt;h2&gt;
  
  
  ✅ Once You're Connected
&lt;/h2&gt;

&lt;p&gt;Whichever door you used, you'll land here:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight console"&gt;&lt;code&gt;&lt;span class="gp"&gt;   ,     #&lt;/span&gt;_
&lt;span class="gp"&gt;   ~\_  #&lt;/span&gt;&lt;span class="c"&gt;###_        Amazon Linux 2023&lt;/span&gt;
&lt;span class="gp"&gt;  ~~  \_#&lt;/span&gt;&lt;span class="c"&gt;####\&lt;/span&gt;
&lt;span class="gp"&gt;  ~~     \#&lt;/span&gt;&lt;span class="c"&gt;##|       Welcome, ec2-user&lt;/span&gt;
&lt;span class="gp"&gt;  ~~       \#&lt;/span&gt;/ ___
&lt;span class="gp"&gt;   ~~       V~' '-&amp;gt;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="go"&gt;    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'

&lt;/span&gt;&lt;span class="gp"&gt;[ec2-user@ip-172-31-xx-xx ~]$&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That blinking cursor is your server, waiting for instructions.&lt;/p&gt;

&lt;p&gt;You're now ready to follow the rest of Chapter 5 — cloning Pixel &amp;amp; Spoon's code and getting the ordering system live.&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;&lt;a href="https://dev.to/srsoumyax11/ec2-your-first-server-in-the-cloud-2015"&gt;Back to Chapter 5: EC2 → continue from "Getting the Code on the Server"&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  🗺️ Continue the Series
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Ch 05&lt;/strong&gt; — ✅ EC2: Your First Server in the Cloud&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 05.1&lt;/strong&gt; — ✅ Connecting to Your EC2 Instance &lt;em&gt;(you are here)&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 06&lt;/strong&gt; — EBS, AMI &amp;amp; Auto Scaling: The Complete Compute Picture&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Resources I'm learning from:&lt;/em&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://roadmap.sh/aws" rel="noopener noreferrer"&gt;roadmap.sh/aws&lt;/a&gt; — my learning roadmap&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://docs.aws.amazon.com/whitepapers/latest/aws-overview/introduction.html" rel="noopener noreferrer"&gt;AWS Official Overview Whitepaper&lt;/a&gt; — straight from the source&lt;/em&gt;&lt;/li&gt;
&lt;/ul&gt;




</description>
      <category>aws</category>
      <category>cloud</category>
      <category>ec2</category>
      <category>handson</category>
    </item>
    <item>
      <title>EC2: Your First Server in the Cloud 🖥️</title>
      <dc:creator>Soumya Ranjan 🎖️</dc:creator>
      <pubDate>Mon, 06 Jul 2026 08:57:10 +0000</pubDate>
      <link>https://dev.to/srsoumyax11/ec2-your-first-server-in-the-cloud-2015</link>
      <guid>https://dev.to/srsoumyax11/ec2-your-first-server-in-the-cloud-2015</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Chapter 5 of the AWS Learning Journey. The IAM arc is done. The team is set up. Now Pixel &amp;amp; Spoon needs a server — and two people are about to work together to make it happen.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  Monday Morning at Pixel &amp;amp; Spoon
&lt;/h2&gt;

&lt;p&gt;It's been a productive week.&lt;/p&gt;

&lt;p&gt;The AWS account is locked down. Root account sitting in a vault with MFA. Aarav, Meera, and Rohit each have their own IAM users — their own badges, their own permissions, nothing more than what their jobs require.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F067qkd8ld3ulmp56hksa.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F067qkd8ld3ulmp56hksa.png" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Aarav is ready to build the ordering backend.&lt;/p&gt;

&lt;p&gt;But he needs somewhere to run it.&lt;/p&gt;

&lt;p&gt;He messages Rohit:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;"Hey — can you spin up a server for me? I need something to deploy the ordering system on."&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Rohit: &lt;em&gt;"On it."&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;This is how real teams work. Aarav writes code. Rohit builds infrastructure. The separation isn't just cultural — it's enforced by the very IAM policies we set up in Chapter 4.3. Aarav's &lt;code&gt;PixelSpoon-Developer-EC2&lt;/code&gt; policy doesn't include &lt;code&gt;ec2:CreateKeyPair&lt;/code&gt;, &lt;code&gt;ec2:CreateSecurityGroup&lt;/code&gt;, or &lt;code&gt;ec2:RunInstances&lt;/code&gt;. He literally cannot provision a server even if he wanted to.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"Version"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"2012-10-17"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"Statement"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"Effect"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"Allow"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"Action"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="s2"&gt;"ec2:Describe*"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="s2"&gt;"ec2:StartInstances"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="s2"&gt;"ec2:StopInstances"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="s2"&gt;"ec2:GetConsoleOutput"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="s2"&gt;"ec2-instance-connect:SendSSHPublicKey"&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"Resource"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"*"&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;

&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That's Least Privilege doing its job.&lt;/p&gt;

&lt;p&gt;So today — we follow Rohit first. Then we hand the server to Aarav.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fl445j1h0jrwk27qhv0pv.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fl445j1h0jrwk27qhv0pv.png" alt="Devop Vs Dev" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  🔑 The IAM Sign-In URL — How the Team Logs In
&lt;/h2&gt;

&lt;p&gt;Before anything gets built, let's fix something we glossed over in earlier chapters.&lt;/p&gt;

&lt;p&gt;Every time we've opened the AWS console so far — we used the root account. That stops today permanently.&lt;/p&gt;

&lt;p&gt;Each team member has their own IAM user and logs in through a dedicated URL that's specific to Pixel &amp;amp; Spoon's AWS account:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;https://YOUR-ACCOUNT-ID.signin.aws.amazon.com/console
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;To find your account ID — log in to root one last time → click your account name top right → &lt;strong&gt;Account&lt;/strong&gt;. The 12-digit Account ID is shown there.&lt;/p&gt;

&lt;p&gt;Share that URL with your team. That's their front door. Not aws.amazon.com. That's for root only.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;💡 You can make this URL friendlier by setting an &lt;strong&gt;account alias&lt;/strong&gt; in the IAM dashboard. Instead of a 12-digit number, it becomes something like &lt;code&gt;https://pixelspoon.signin.aws.amazon.com/console&lt;/code&gt;. Go to IAM → Dashboard → create alias on the right side.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;strong&gt;For this chapter:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Rohit logs in as &lt;code&gt;rohit-devops&lt;/code&gt;&lt;/strong&gt; to provision the server&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Aarav logs in as &lt;code&gt;aarav-dev&lt;/code&gt;&lt;/strong&gt; to connect and deploy the code&lt;/li&gt;
&lt;li&gt;Root stays locked&lt;/li&gt;
&lt;/ul&gt;




&lt;h2&gt;
  
  
  🖥️ What Is EC2?
&lt;/h2&gt;

&lt;p&gt;Before Rohit launches anything — let's make sure we know what he's actually about to create.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;EC2&lt;/strong&gt; stands for &lt;strong&gt;Elastic Compute Cloud&lt;/strong&gt;.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Elastic   →  Scales up or down based on demand
Compute   →  CPU, RAM — actual processing power
Cloud     →  Available over the internet, on AWS hardware
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Remember Chapter 2 — virtualization? One physical server, sliced into many virtual machines by a hypervisor?&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;EC2 is that virtual machine.&lt;/strong&gt; The one you rent. Running on AWS's physical hardware, in the Region you chose, isolated and yours alone.&lt;/p&gt;

&lt;p&gt;In 1999, getting a server for Pixel &amp;amp; Spoon's ordering system would have taken weeks and cost lakhs before a single line of code ran on it. We covered that pain in Chapter 1.&lt;/p&gt;

&lt;p&gt;Rohit will have one ready in under 10 minutes.&lt;/p&gt;




&lt;h2&gt;
  
  
  🧱 Three Decisions Rohit Makes Before Launching
&lt;/h2&gt;




&lt;h3&gt;
  
  
  Decision 1 — The AMI: What OS Does the Server Run?
&lt;/h3&gt;

&lt;p&gt;An &lt;strong&gt;AMI&lt;/strong&gt; (Amazon Machine Image) is the operating system template — the base layer everything runs on.&lt;/p&gt;

&lt;p&gt;Rohit picks &lt;strong&gt;Amazon Linux 2023&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Why?&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Built and optimised specifically for AWS&lt;/li&gt;
&lt;li&gt;Free — no licensing cost&lt;/li&gt;
&lt;li&gt;Pre-installed with the SSM agent (useful for secure connections later)&lt;/li&gt;
&lt;li&gt;Most AWS documentation uses it — easier to troubleshoot&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  Decision 2 — The Instance Type: How Powerful?
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;t-series   →  General purpose, burstable performance
               Like a reliable everyday car — handles most tasks well,
               won't win a race but never lets you down
               Best for: web servers, APIs, small apps, learning
               ⭐ Rohit's choice: t3.micro — Free tier eligible ✅

c-series   →  Compute optimised, high CPU power
               Like a sports car — built for speed, not storage
               Best for: video processing, ML inference, game servers
               Example: c7g.large

r-series   →  Memory optimised, high RAM
               Like a moving truck — massive capacity, built to carry
               Best for: in-memory databases, large caches, analytics
               Example: r6g.large

m-series   →  Balanced CPU and memory, the production workhorse
               Like a reliable delivery van — good at everything,
               specialised at nothing
               Best for: production app servers, mid-size databases
               Example: m6i.large
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Pixel &amp;amp; Spoon has zero users today. t3.micro is more than enough. When the app grows — Rohit can resize it. That's the elastic part.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fgvkq3029ezvwuwuq2td1.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fgvkq3029ezvwuwuq2td1.png" alt="InstanceTypes" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h3&gt;
  
  
  Decision 3 — The Security Group: Which Ports Are Open?
&lt;/h3&gt;

&lt;p&gt;A &lt;strong&gt;Security Group&lt;/strong&gt; is the firewall around the EC2 instance. Every request that reaches the server passes through it first.&lt;/p&gt;

&lt;p&gt;Least Privilege at the network level — only open what's actually needed.&lt;/p&gt;

&lt;p&gt;Pixel &amp;amp; Spoon's backend needs exactly two ports:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Port 22    →  SSH access (for connecting to the server)
Port 3000  →  Node.js app (for users reaching the ordering system)
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Not port 8080. Not port 443 "just in case." Not anything else.&lt;/p&gt;

&lt;p&gt;Two ports. That's it.&lt;/p&gt;

&lt;p&gt;The same principle from IAM policies applies here. Every unnecessary open port is an attack surface. Bots scan every public IP on the internet constantly — the smaller the surface, the safer the server.&lt;/p&gt;




&lt;h2&gt;
  
  
  🚀 Rohit Launches the Instance
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Rohit logs in as &lt;code&gt;rohit-devops&lt;/code&gt;.&lt;/strong&gt;&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 1 — Open EC2&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Search &lt;code&gt;EC2&lt;/code&gt; in the console → check Region is &lt;strong&gt;ap-south-1 (Mumbai)&lt;/strong&gt; → click orange &lt;strong&gt;Launch instance&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fpm04odl2pl1zgmw40ppj.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fpm04odl2pl1zgmw40ppj.png" alt="alt text" width="799" height="448"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 2 — Name the Instance&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;pixel-spoon-backend
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Lowercase, hyphens, descriptive. When Rohit is managing six instances at 2am, names matter.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 3 — Choose the AMI&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Search &lt;strong&gt;Amazon Linux 2023&lt;/strong&gt; → select it → confirm the &lt;strong&gt;Free tier eligible&lt;/strong&gt; badge.&lt;/p&gt;

&lt;h2&gt;
  
  
  &lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fvkn7uwqssxb4jdsg89az.png" alt="alt text" width="800" height="450"&gt;
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Step 4 — Choose Instance Type&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Select &lt;strong&gt;t3.micro&lt;/strong&gt; — confirm &lt;strong&gt;Free tier eligible&lt;/strong&gt;.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 5 — Create the Key Pair&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Click &lt;strong&gt;Create new key pair&lt;/strong&gt;.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;Key pair name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;  &lt;span class="s"&gt;pixelspoon-key&lt;/span&gt;
&lt;span class="na"&gt;Key pair type&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;  &lt;span class="s"&gt;RSA&lt;/span&gt;
&lt;span class="na"&gt;Format&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;         &lt;span class="s"&gt;.pem&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Click &lt;strong&gt;Create key pair&lt;/strong&gt; — the &lt;code&gt;.pem&lt;/code&gt; file downloads immediately.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fhd5io9fe4po4jwjgx2yr.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fhd5io9fe4po4jwjgx2yr.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;⚠️ &lt;strong&gt;This file is shown once. There is no recovery.&lt;/strong&gt; Rohit moves it to a secure location immediately — not Downloads, not the Desktop. A dedicated credentials folder, or better yet, an encrypted vault.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Rohit will share this with Aarav through a secure channel — a password manager or encrypted file share. &lt;strong&gt;Not Slack. Not email.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fguerefyfu20ckt6gfspi.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fguerefyfu20ckt6gfspi.png" width="800" height="533"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;💡 Notice this step is done by Rohit, not Aarav. &lt;code&gt;aarav-dev&lt;/code&gt; doesn't have &lt;code&gt;ec2:CreateKeyPair&lt;/code&gt; in his policy — by design. Infrastructure credentials are DevOps territory. Aarav will use this key to connect, but he never created it. That's the separation working correctly.&lt;/p&gt;
&lt;/blockquote&gt;




&lt;p&gt;&lt;strong&gt;Step 6 — Configure the Security Group&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Under &lt;strong&gt;Network settings&lt;/strong&gt; → click &lt;strong&gt;Edit&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Keep the default SSH rule (port 22). Add one more:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;Type&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;        &lt;span class="s"&gt;Custom TCP&lt;/span&gt;
&lt;span class="na"&gt;Port&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;        &lt;span class="m"&gt;3000&lt;/span&gt;
&lt;span class="na"&gt;Source&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;      &lt;span class="s"&gt;Anywhere (0.0.0.0/0)&lt;/span&gt;
&lt;span class="na"&gt;Description&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Pixel &amp;amp; Spoon Node.js ordering system&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Two rules total. Done.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fpn7x1w5o7oi9019q8ydf.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fpn7x1w5o7oi9019q8ydf.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 7 — Launch&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Leave storage at default 8GB → scroll down → &lt;strong&gt;Launch instance&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;60–90 seconds. When &lt;strong&gt;Instance state&lt;/strong&gt; shows &lt;strong&gt;Running&lt;/strong&gt; — Pixel &amp;amp; Spoon's server is live.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fn77m8d2ym1vqgv84wez6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fn77m8d2ym1vqgv84wez6.png" alt="AWS EC2 instance state running green console screenshot" width="800" height="449"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  🤝 The Handoff
&lt;/h2&gt;

&lt;p&gt;Rohit's work is done.&lt;/p&gt;

&lt;p&gt;He sends Aarav two things:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;📋 Public IPv4 address:  (copy from EC2 console instance details)
🔑 pixelspoon-key.pem:   (shared via secure channel)
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Now it's Aarav's turn.&lt;/p&gt;




&lt;h2&gt;
  
  
  💻 Aarav Connects — Browser First
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Aarav logs in as &lt;code&gt;aarav-dev&lt;/code&gt;.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;He opens EC2, finds &lt;code&gt;pixel-spoon-backend&lt;/code&gt; in the instances list, selects it, and clicks the orange &lt;strong&gt;Connect&lt;/strong&gt; button.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fzha8wuly9vbeej3qgr95.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fzha8wuly9vbeej3qgr95.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;He stays on the &lt;strong&gt;EC2 Instance Connect&lt;/strong&gt; tab — username is &lt;code&gt;ec2-user&lt;/code&gt; — clicks &lt;strong&gt;Connect&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;A terminal opens in the browser.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fgluhn7tfjofdck1ydydf.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fgluhn7tfjofdck1ydydf.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;A machine running in a data center in Mumbai, responding to commands from Aarav's laptop.&lt;/p&gt;

&lt;p&gt;That blinking cursor is the moment cloud computing stops being a concept and becomes real.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;💡 EC2 Instance Connect is the quickest way in — no key file needed,&lt;br&gt;
works straight from the browser. But there are actually four ways&lt;br&gt;
to connect to an EC2 instance — including SSH from terminal on&lt;br&gt;
Mac, Linux, and Windows. We cover all of them in the companion post:&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;&lt;a href="https://dev.toLINK"&gt;Ch 5.1 — All Four Ways to Connect to EC2 → (Read it here)&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;


&lt;h2&gt;
  
  
  📦 Aarav Deploys Pixel &amp;amp; Spoon's Code
&lt;/h2&gt;

&lt;p&gt;The server is empty. The ordering system needs to get on it.&lt;/p&gt;

&lt;p&gt;The right way — the way real teams do it — is Git. Code lives in &lt;br&gt;
a repository, versioned and safe. The server pulls it with one &lt;br&gt;
command. When the code changes, pull again.&lt;/p&gt;

&lt;p&gt;First, install the dependencies:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo &lt;/span&gt;dnf update &lt;span class="nt"&gt;-y&lt;/span&gt;
&lt;span class="nb"&gt;sudo &lt;/span&gt;dnf &lt;span class="nb"&gt;install &lt;/span&gt;git nodejs &lt;span class="nt"&gt;-y&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Then clone, checkout the Chapter 5 version, and run:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;git clone https://github.com/srsoumyax11/pixel-and-spoon.git
&lt;span class="nb"&gt;cd &lt;/span&gt;pixel-and-spoon
git checkout ch05-start
npm &lt;span class="nb"&gt;install
&lt;/span&gt;npm start
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fksk98jmk2bf1f2hcehn1.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fksk98jmk2bf1f2hcehn1.png" alt="alt text" width="800" height="448"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Open a browser and go to:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;http://YOUR_PUBLIC_IP:3000
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;In my case it is &lt;a href="http://65.2.130.72:3000/" rel="noopener noreferrer"&gt;65.2.130.72:3000&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Screenshot of the Website I built
&lt;/h3&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fsgdxiq59hute6cslixr2.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fsgdxiq59hute6cslixr2.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ftp6mxglz6rr5emrg1o4f.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ftp6mxglz6rr5emrg1o4f.png" alt="alt text" width="800" height="448"&gt;&lt;/a&gt;&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F2mt9h90rsd983im97myd.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F2mt9h90rsd983im97myd.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Pixel &amp;amp; Spoon's ordering system is live. On a real server. &lt;br&gt;
On the real internet.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;💡 &lt;strong&gt;Why &lt;code&gt;git checkout ch05-start&lt;/code&gt;?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The repo grows alongside this series — by Chapter 12 it will&lt;br&gt;
have auth, by Chapter 16 it will have Secrets Manager &lt;br&gt;
integration. The &lt;code&gt;ch05-start&lt;/code&gt; tag freezes the codebase at &lt;br&gt;
exactly what Aarav deployed today — so this tutorial works &lt;br&gt;
correctly no matter when you're reading it.&lt;/p&gt;

&lt;p&gt;Each future chapter will have its own tag. You'll always know &lt;br&gt;
exactly which version to run.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h2&gt;
  
  
  ⭐ The Repo Behind This Series
&lt;/h2&gt;

&lt;p&gt;The code Aarav just cloned is real — and you can use it yourself.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;&lt;a href="https://github.com/srsoumyax11/pixel-and-spoon" rel="noopener noreferrer"&gt;github.com/srsoumyax11/pixel-and-spoon&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A fullstack Node.js server with two endpoints:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="err"&gt;GET&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;/&lt;/span&gt;&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="err"&gt;→&lt;/span&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="err"&gt;Pixel&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;&amp;amp;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;Spoon's&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;dynamic&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;Server&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;Side&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;Rendered&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;(SSR)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;ordering&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;system&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="err"&gt;GET&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;/health&lt;/span&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="err"&gt;→&lt;/span&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="err"&gt;Returns&lt;/span&gt;&lt;span class="w"&gt; 
                &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
                  &lt;/span&gt;&lt;span class="nl"&gt;"status"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"ok"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
                  &lt;/span&gt;&lt;span class="nl"&gt;"service"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"pixel-spoon-backend"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
                  &lt;/span&gt;&lt;span class="nl"&gt;"timestamp"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"2026-07-06T08:10:24.199Z"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
                  &lt;/span&gt;&lt;span class="nl"&gt;"uptime"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mf"&gt;268.874721923&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
                  &lt;/span&gt;&lt;span class="nl"&gt;"totalOrders"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
                  &lt;/span&gt;&lt;span class="nl"&gt;"version"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"1.0.0"&lt;/span&gt;&lt;span class="w"&gt;
                &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;— confirms the server is alive&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;To use it:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Fork&lt;/strong&gt; the repo to your own GitHub&lt;/li&gt;
&lt;li&gt;Clone your fork onto your EC2 instance&lt;/li&gt;
&lt;li&gt;Runs on port 3000 — no config needed&lt;/li&gt;
&lt;/ol&gt;

&lt;blockquote&gt;
&lt;p&gt;🌟 &lt;em&gt;If this series has been useful — a star on the repo goes a long way.&lt;br&gt;
It helps other learners find it and keeps the series going.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;&lt;a href="https://github.com/srsoumyax11/pixel-and-spoon" rel="noopener noreferrer"&gt;⭐ Star it here → github.com/srsoumyax11/pixel-and-spoon&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  💰 What Is This Costing?
&lt;/h2&gt;

&lt;p&gt;t3.micro — &lt;strong&gt;750 free hours per month&lt;/strong&gt; for 12 months.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;1 instance running 24/7   =  ~730 hrs/month  ✅ within free tier
2 instances running 24/7  =  ~1,460 hrs/month ❌ you pay for ~730
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;The habit to build now:&lt;/strong&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  When done for the day — &lt;strong&gt;stop the instance&lt;/strong&gt;. Not terminate. Stop.
&lt;/h2&gt;

&lt;p&gt;EC2 console → select instance → &lt;strong&gt;Instance state&lt;/strong&gt; → &lt;strong&gt;Stop instance&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Data preserved. Config saved. Compute cost: zero.&lt;/p&gt;




&lt;h2&gt;
  
  
  ⚠️ The Problem Nobody Wants to Say Out Loud
&lt;/h2&gt;

&lt;p&gt;Pixel &amp;amp; Spoon is live. The health check returns green. Aarav is proud.&lt;/p&gt;

&lt;p&gt;But Rohit is quiet.&lt;/p&gt;

&lt;p&gt;Because right now, everything runs on &lt;strong&gt;one server&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;One EC2 instance. One point of failure. If it crashes at 12:30pm during the lunch rush — every order fails. Every user sees an error. Every minute costs real trust.&lt;/p&gt;

&lt;p&gt;And if a food blogger features Pixel &amp;amp; Spoon tomorrow and ten thousand users hit the app at once? One t3.micro will buckle.&lt;/p&gt;

&lt;p&gt;This isn't Aarav's problem to fix. It's an infrastructure problem. And it's exactly what Rohit is going to solve in Chapter 6 — persistent storage that survives crashes, AMIs to clone servers in minutes, and Auto Scaling to handle any traffic spike without anyone losing sleep.&lt;/p&gt;




&lt;h2&gt;
  
  
  🗺️ Where We Go From Here
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Ch 00&lt;/strong&gt; — ✅ The origin story&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 01&lt;/strong&gt; — ✅ The world before AWS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 02&lt;/strong&gt; — ✅ Virtualization &amp;amp; Cloud Models&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 03&lt;/strong&gt; — ✅ Welcome to AWS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 04&lt;/strong&gt; — ✅ IAM: The Gatekeeper of AWS&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Ch 04.1&lt;/strong&gt; — ✅ Creating IAM Users&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 04.2&lt;/strong&gt; — ✅ Creating IAM Groups&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 04.3&lt;/strong&gt; — ✅ Writing and Attaching IAM Policies&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 04.4&lt;/strong&gt; — ✅ Creating IAM Roles&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;strong&gt;Ch 05&lt;/strong&gt; — ✅ EC2: Your First Server &lt;em&gt;(you are here)&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 05.1&lt;/strong&gt; — All Four Ways to Connect to EC2&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 06&lt;/strong&gt; — EBS, AMI &amp;amp; Auto Scaling: The Complete Compute Picture&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 07&lt;/strong&gt; — AWS CLI: Stop Clicking, Start Typing&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 08&lt;/strong&gt; — S3: Store Anything, Forever&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 09&lt;/strong&gt; — Databases on AWS: RDS &amp;amp; DynamoDB&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 10&lt;/strong&gt; — Serverless: Lambda, SNS &amp;amp; SQS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 11&lt;/strong&gt; — Monitoring &amp;amp; Secrets: CloudWatch + Secrets Manager&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 12&lt;/strong&gt; — Networking: Route 53, CloudFront &amp;amp; VPC&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 13&lt;/strong&gt; — Infrastructure as Code: CloudFormation &amp;amp; Terraform&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 14&lt;/strong&gt; — Containers: ECS &amp;amp; EKS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 15&lt;/strong&gt; — Billing &amp;amp; Pricing: Never Get a Surprise Bill&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 16&lt;/strong&gt; — Capstone: Build a Full Stack App on AWS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 17&lt;/strong&gt; — AWS vs Azure vs GCP: An Honest Comparison&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 18&lt;/strong&gt; — What's Next: The AWS Certifications Roadmap&lt;/p&gt;




&lt;h3&gt;
  
  
  Before You Click Away.
&lt;/h3&gt;

&lt;p&gt;Pixel &amp;amp; Spoon's server is running. The code is live. The health check is green.&lt;/p&gt;

&lt;p&gt;But Rohit hasn't slept well since the launch.&lt;/p&gt;

&lt;p&gt;One server. No redundancy. No way to survive a surge.&lt;/p&gt;

&lt;p&gt;In Chapter 6, he fixes all of it.&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;&lt;a href="https://dev.toLINK"&gt;Chapter 6: EBS, AMI &amp;amp; Auto Scaling → (Read it here)&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Resources I'm learning from:&lt;/em&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://roadmap.sh/aws" rel="noopener noreferrer"&gt;roadmap.sh/aws&lt;/a&gt; — my learning roadmap&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://docs.aws.amazon.com/whitepapers/latest/aws-overview/introduction.html" rel="noopener noreferrer"&gt;AWS Official Overview Whitepaper&lt;/a&gt; — straight from the source&lt;/em&gt;&lt;/li&gt;
&lt;/ul&gt;




</description>
      <category>aws</category>
      <category>cloud</category>
      <category>ec2</category>
      <category>cloudcomputing</category>
    </item>
    <item>
      <title>Pixel &amp; Spoon Hands-On: Creating IAM Roles 🎫</title>
      <dc:creator>Soumya Ranjan 🎖️</dc:creator>
      <pubDate>Thu, 02 Jul 2026 14:51:42 +0000</pubDate>
      <link>https://dev.to/srsoumyax11/pixel-spoon-hands-on-creating-iam-roles-2a3m</link>
      <guid>https://dev.to/srsoumyax11/pixel-spoon-hands-on-creating-iam-roles-2a3m</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Chapter 4.4 — Hands-on companion to Chapter 4: IAM: The Gatekeeper of AWS. Users have logins. Groups have policies. But Karthik the auditor needs temporary access — and the CI/CD bot isn't even a human. Both need Roles.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  The Problem Users Can't Solve
&lt;/h2&gt;

&lt;p&gt;So far at Pixel &amp;amp; Spoon we have:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Permanent IAM users for Aarav, Meera, Rohit, and Subham&lt;/li&gt;
&lt;li&gt;Groups that manage their permissions cleanly&lt;/li&gt;
&lt;li&gt;Custom policies with only what each role needs&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;But two situations just came up that users and groups can't handle well.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Situation 1 — Karthik, the External Auditor&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Pixel &amp;amp; Spoon needs a compliance audit. Karthik is brought in for one week. He needs read-only access to review the AWS setup.&lt;/p&gt;

&lt;p&gt;You &lt;em&gt;could&lt;/em&gt; create an IAM user for him. But then what? After the audit, you have to remember to delete it. Miss that, and there's a dormant login sitting in your account indefinitely — a security risk with no benefit.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Situation 2 — The CI/CD Bot&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Pixel &amp;amp; Spoon's deployment pipeline automatically pushes new code to AWS every time Aarav commits an update. This process needs AWS access to do its job.&lt;/p&gt;

&lt;p&gt;But it's not a person. It can't log in with a username and password. Hardcoding AWS credentials into the deployment script is the worst possible option — if that script ever leaks, your entire account is exposed.&lt;/p&gt;

&lt;p&gt;Both situations need the same solution: &lt;strong&gt;IAM Roles&lt;/strong&gt;.&lt;/p&gt;




&lt;h2&gt;
  
  
  🎫 What Makes Roles Different
&lt;/h2&gt;

&lt;p&gt;Think back to Chapter 4's office building analogy.&lt;/p&gt;

&lt;p&gt;Users are permanent employees with ID badges that don't expire.&lt;/p&gt;

&lt;p&gt;Roles are &lt;strong&gt;visitor passes&lt;/strong&gt; — temporary credentials issued for a specific purpose, that expire automatically, and can be assumed by whoever needs them at that moment.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fl629gqbsfvx7hyeyyf9j.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fl629gqbsfvx7hyeyyf9j.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;👤 IAM User     →  Permanent identity, long-term credentials
                   Belongs to one specific person or system

🎫 IAM Role     →  Temporary identity, short-lived credentials
                   Can be assumed by users, services, or other accounts
                   Expires automatically — no cleanup needed
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;No hardcoded passwords. No forgotten logins. Clean, auditable, automatic.&lt;/p&gt;




&lt;h2&gt;
  
  
  🛠️ Part 1: Creating a Role for Karthik (Human Temporary Access)
&lt;/h2&gt;

&lt;p&gt;We'll create a role that Karthik can assume for half a day, giving him read-only access to review Pixel &amp;amp; Spoon's setup.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 1 — Open IAM → Roles&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Search &lt;code&gt;IAM&lt;/code&gt; in the console → left sidebar → &lt;strong&gt;Roles&lt;/strong&gt; → orange &lt;strong&gt;Create role&lt;/strong&gt; button.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F6qzi1r4xltuehcgy0rhs.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F6qzi1r4xltuehcgy0rhs.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 2 — Choose Trusted Entity Type&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;You'll see four options for who can assume this role:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;○ AWS service
     An AWS service like EC2 or Lambda assumes the role automatically.
     Used when your own infrastructure needs to talk to other AWS services.
     Example: a server that uploads files to S3 without hardcoded passwords.

○ AWS account          ← Karthik's option
     A person or system from another AWS account assumes the role.
     Used for external collaborators, auditors, or cross-team access.
     Example: Karthik logging in from his own company's AWS account.

○ Web identity
     Users who sign in via Google, Facebook, Amazon Cognito, etc.
     Used for mobile or web apps where end users need temporary AWS access.
     Example: a user logs into your app with Google and gets access to their own S3 folder.

○ SAML 2.0 federation
     Employees who sign in via a company identity system (like Okta or Active Directory).
     Used by large organisations that already have their own login infrastructure.
     Example: all 500 employees at a company use their work email to access AWS — no separate IAM users needed.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Karthik is from an external company with their own AWS account. Select &lt;strong&gt;AWS account&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Enter &lt;strong&gt;"Another AWS account"&lt;/strong&gt; and type in Karthik's company AWS account ID.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;💡 If Karthik doesn't have an AWS account, choose "This account" instead and you'll let him switch into the role from a temporary IAM user you create. For now we'll assume he has his own account.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Tick &lt;strong&gt;"Require MFA"&lt;/strong&gt; — this means even after assuming the role, Karthik must have MFA active. Good practice for any external access.&lt;/p&gt;

&lt;p&gt;Click &lt;strong&gt;Next&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fxua2uyvme9cxs1t4d5na.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fxua2uyvme9cxs1t4d5na.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 3 — Attach a Permission Policy&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Search for and select:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;ReadOnlyAccess
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This is an AWS-managed policy that gives read-only access across all AWS services — Karthik can look at everything but change nothing. Perfect for an audit.&lt;/p&gt;

&lt;p&gt;If You can not find it, Select &lt;code&gt;AWSManaged - job-function&lt;/code&gt; Filter and then search for &lt;code&gt;ReadOnlyAccess&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fopgtsl6lzyw1ivt7do8p.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fopgtsl6lzyw1ivt7do8p.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Click &lt;strong&gt;Next&lt;/strong&gt;.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 4 — Name the Role&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Role name:   PixelSpoon-Auditor-ReadOnly
Description: Temporary read-only access for external auditors.
             Requires MFA. Maximum session 12hours.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Click &lt;strong&gt;Create role&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fj8hcb3cd580nssal0l15.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fj8hcb3cd580nssal0l15.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 5 — Set the Maximum Session Duration&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Click into the role you just created → &lt;strong&gt;Edit&lt;/strong&gt; next to "Maximum session duration" → set it to &lt;strong&gt;12 hours&lt;/strong&gt; (the maximum AWS allows for role sessions).&lt;/p&gt;

&lt;p&gt;This means Karthik's assumed session automatically expires after 12 hours. No manual cleanup required.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fy5t7mqn9qtcnzkqvoiix.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fy5t7mqn9qtcnzkqvoiix.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 6 — Share the Role ARN with Karthik&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;On the role summary page, copy the &lt;strong&gt;Role ARN&lt;/strong&gt; — it looks like:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;arn:aws:iam::563960656008:role/PixelSpoon-Auditor-ReadOnly
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Send this to Karthik. He uses it to "switch roles" inside his own AWS console — his credentials stay his own, but he temporarily gains your role's permissions for the duration of the audit.&lt;/p&gt;

&lt;p&gt;When the time is over, his session expires. Nothing to delete. Nothing to forget.&lt;/p&gt;




&lt;h2&gt;
  
  
  🤖 Part 2: Creating a Service Role for the CI/CD Bot
&lt;/h2&gt;

&lt;p&gt;Now for the trickier one — the deployment bot.&lt;/p&gt;

&lt;p&gt;This isn't a human assuming a role. It's an &lt;strong&gt;AWS service&lt;/strong&gt; (in this case, we'll use EC2 as the example, since the bot runs on a server) that needs permission to deploy code to other AWS services.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 1 — Create Role → AWS Service&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;IAM → Roles → &lt;strong&gt;Create role&lt;/strong&gt; → select &lt;strong&gt;AWS service&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Under "Service or use case," select &lt;strong&gt;EC2&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;This tells AWS: "I want to create a role that an EC2 instance can assume."&lt;/p&gt;

&lt;p&gt;Click &lt;strong&gt;Next&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fhs4g81jcbxz7v3exdis8.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fhs4g81jcbxz7v3exdis8.png" alt="Select Trusted Entity as AWS Service AWS Console Screenshot" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 2 — Attach the Right Policy&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The CI/CD bot needs to deploy code — which in Pixel &amp;amp; Spoon's case means pushing files to S3 and triggering deployments. Search for and attach:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;AmazonS3FullAccess
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;For a real deployment pipeline you'd write a tighter custom policy (Least Privilege again), but for this walkthrough this gets us moving.&lt;/p&gt;

&lt;p&gt;Click &lt;strong&gt;Next&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fxelwl84g630zlch68x20.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fxelwl84g630zlch68x20.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;🤔 &lt;strong&gt;"Wait — why S3? Can't we just store the code directly on EC2?"&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Quick context before we answer — if these terms are new to you:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;EC2&lt;/strong&gt; is a virtual server on AWS — the machine that runs your code.&lt;br&gt;
Think of it as a computer in the cloud. We cover it fully in Chapter 5.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;S3&lt;/strong&gt; is AWS's storage service — like a hard drive in the cloud that&lt;br&gt;
exists independently of any server. We cover it fully in Chapter 8.&lt;/p&gt;

&lt;p&gt;Now — back to the question.&lt;/p&gt;

&lt;p&gt;Yes, you &lt;em&gt;can&lt;/em&gt; store deployment files directly on EC2. In simple&lt;br&gt;
setups, people do exactly that.&lt;/p&gt;

&lt;p&gt;But here's the problem:&lt;/p&gt;

&lt;p&gt;EC2 instances can be stopped, replaced, or terminated at any time —&lt;br&gt;
especially once we add Auto Scaling in Chapter 6. When that happens,&lt;br&gt;
everything stored locally on that instance is gone.&lt;/p&gt;

&lt;p&gt;S3 lives outside any single server. Your files sit there safely,&lt;br&gt;
and it doesn't matter how many EC2 instances come and go —&lt;br&gt;
the files are always available.&lt;/p&gt;

&lt;p&gt;Think of it like this:&lt;/p&gt;

&lt;p&gt;EC2 is the chef. S3 is the pantry.&lt;br&gt;
You don't store the ingredients inside the chef.&lt;/p&gt;

&lt;p&gt;We'll cover both properly in their own chapters — for now,&lt;br&gt;
just know this is exactly the kind of problem S3 was built to solve.&lt;/p&gt;
&lt;/blockquote&gt;




&lt;p&gt;&lt;strong&gt;Step 3 — Name the Role&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Role name:   PixelSpoon-CICD-DeployRole
Description: Service role for CI/CD deployment bot.
             Assumed by EC2. Allows S3 deploy access.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Click &lt;strong&gt;Create role&lt;/strong&gt;.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 4 — Attach the Role to Your EC2 Instance&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;When you launch the EC2 instance that runs the deployment bot (we'll do this properly in Chapter 5), there's an option called &lt;strong&gt;IAM instance profile&lt;/strong&gt; — this is where you select &lt;code&gt;PixelSpoon-CICD-DeployRole&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;The instance then automatically receives temporary, rotating credentials for this role. No passwords. No access keys stored in code. AWS handles credential rotation completely.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;🤖 CI/CD Bot (EC2 instance)
        │
        │  assumes role automatically
        ↓
🎫 PixelSpoon-CICD-DeployRole
        │
        │  grants permission to
        ↓
🪣 S3 Bucket  →  deploys files
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This is considered the gold standard for giving AWS services access to other AWS services. You'll see this pattern everywhere as the series progresses.&lt;/p&gt;




&lt;h2&gt;
  
  
  ✅ Where Pixel &amp;amp; Spoon Stands Now
&lt;/h2&gt;

&lt;p&gt;The IAM setup is complete. Here's the full picture:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;🏢 Pixel &amp;amp; Spoon — AWS Account

🔒 Root account          →  Locked with MFA. Used for emergencies only.

👥 Developers Group      →  PixelSpoon-Developer-EC2 policy
        └── aarav-dev
        └── subham-dev

👥 Designers Group       →  AmazonS3FullAccess
        └── meera-design

👥 Admins Group          →  AdministratorAccess
        └── rohit-devops

👤 divya-intern          →  PixelSpoon-Intern-ReadOnly (direct attach, temp)

🎫 PixelSpoon-Auditor-ReadOnly    →  For Karthik, expires in 12 hours
🎫 PixelSpoon-CICD-DeployRole     →  For the deployment bot, assumed by EC2
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Every identity has exactly the access it needs. Nothing more.&lt;/p&gt;

&lt;p&gt;That's Least Privilege — applied end to end across a real team.&lt;/p&gt;




&lt;h2&gt;
  
  
  🗺️ Continue the Hands-On Series
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Ch 4.1&lt;/strong&gt; — ✅ Creating IAM Users&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 4.2&lt;/strong&gt; — ✅ Creating and Managing IAM Groups&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 4.3&lt;/strong&gt; — ✅ Writing and Attaching IAM Policies&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 4.4&lt;/strong&gt; — ✅ Creating IAM Roles: Human &amp;amp; Service &lt;em&gt;(you are here)&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;The IAM arc is complete. Pixel &amp;amp; Spoon's account is secured, organised, and ready to actually build something.&lt;/p&gt;

&lt;p&gt;Aarav has been waiting patiently. It's time to give him a server.&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;&lt;a href="https://dev.toLINK"&gt;Chapter 5: EC2 — Your First Server in the Cloud → (Read it here)&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Resources I'm learning from:&lt;/em&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://roadmap.sh/aws" rel="noopener noreferrer"&gt;roadmap.sh/aws&lt;/a&gt; — my learning roadmap&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://docs.aws.amazon.com/whitepapers/latest/aws-overview/introduction.html" rel="noopener noreferrer"&gt;AWS Official Overview Whitepaper&lt;/a&gt; — straight from the source&lt;/em&gt;&lt;/li&gt;
&lt;/ul&gt;




</description>
      <category>aws</category>
      <category>cloud</category>
      <category>iam</category>
      <category>role</category>
    </item>
    <item>
      <title>Pixel &amp; Spoon Hands-On: Writing and Attaching IAM Policies 📜</title>
      <dc:creator>Soumya Ranjan 🎖️</dc:creator>
      <pubDate>Thu, 02 Jul 2026 06:33:25 +0000</pubDate>
      <link>https://dev.to/srsoumyax11/pixel-spoon-hands-on-writing-and-attaching-iam-policies-2i62</link>
      <guid>https://dev.to/srsoumyax11/pixel-spoon-hands-on-writing-and-attaching-iam-policies-2i62</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Chapter 4.3 — Hands-on companion to Chapter 4: IAM: The Gatekeeper of AWS. Aarav has EC2 access — but do we really know what that means? Today we open the policy, read what's inside, and write a tighter one.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  The Policy We've Been Ignoring
&lt;/h2&gt;

&lt;p&gt;In Chapter 4.1, we attached &lt;code&gt;AmazonEC2FullAccess&lt;/code&gt; to Aarav.&lt;/p&gt;

&lt;p&gt;In Chapter 4.2, we moved that to the Developers group.&lt;/p&gt;

&lt;p&gt;But here's something we haven't done yet — actually looked at what &lt;code&gt;AmazonEC2FullAccess&lt;/code&gt; allows.&lt;/p&gt;

&lt;p&gt;Spoiler: it's a lot.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;AmazonEC2FullAccess&lt;/code&gt; lets Aarav start instances, stop instances, terminate instances, create snapshots, modify security groups, allocate elastic IPs — essentially everything you can do with EC2.&lt;/p&gt;

&lt;p&gt;Right now, Pixel &amp;amp; Spoon is a small startup. Aarav is trustworthy. It's fine.&lt;/p&gt;

&lt;p&gt;But what happens when the team grows? What if you hire a junior developer who should only be able to &lt;em&gt;view&lt;/em&gt; servers, not terminate them? Or a contractor who needs to start and stop instances, but never delete anything permanently?&lt;/p&gt;

&lt;p&gt;AWS-managed policies like &lt;code&gt;AmazonEC2FullAccess&lt;/code&gt; are broad by design — they cover everything in a service. &lt;strong&gt;Custom policies&lt;/strong&gt; let you grant exactly what someone needs, nothing more.&lt;/p&gt;

&lt;p&gt;That's what this chapter is about.&lt;/p&gt;




&lt;h2&gt;
  
  
  📜 What's Actually Inside a Policy?
&lt;/h2&gt;

&lt;p&gt;Before we write one, let's read one.&lt;/p&gt;

&lt;p&gt;In the AWS Console, search for &lt;code&gt;IAM&lt;/code&gt; → click &lt;strong&gt;Policies&lt;/strong&gt; in the left sidebar → search for &lt;code&gt;AmazonEC2FullAccess&lt;/code&gt; → click on it → click the &lt;strong&gt;JSON&lt;/strong&gt; tab.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fl7fhtyirma4xta8cgx1p.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fl7fhtyirma4xta8cgx1p.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;br&gt;
You'll see something like this (simplified):&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"Version"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"2012-10-17"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"Statement"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"Effect"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"Allow"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"Action"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"ec2:*"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"Resource"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"*"&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Let's read this in plain English:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="s2"&gt;"Version"&lt;/span&gt;&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="err"&gt;→&lt;/span&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="err"&gt;The&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;policy&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;language&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;version.&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;Always&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"2012-10-17"&lt;/span&gt;&lt;span class="err"&gt;.&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;Don't&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;change&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;this.&lt;/span&gt;&lt;span class="w"&gt;

&lt;/span&gt;&lt;span class="s2"&gt;"Statement"&lt;/span&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="err"&gt;→&lt;/span&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="err"&gt;A&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;list&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;of&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;permission&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;rules.&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;One&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;policy&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;can&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;have&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;many&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;statements.&lt;/span&gt;&lt;span class="w"&gt;

&lt;/span&gt;&lt;span class="s2"&gt;"Effect"&lt;/span&gt;&lt;span class="w"&gt;     &lt;/span&gt;&lt;span class="err"&gt;→&lt;/span&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="s2"&gt;"Allow"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;or&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"Deny"&lt;/span&gt;&lt;span class="err"&gt;.&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;This&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;one&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;allows.&lt;/span&gt;&lt;span class="w"&gt;

&lt;/span&gt;&lt;span class="s2"&gt;"Action"&lt;/span&gt;&lt;span class="w"&gt;     &lt;/span&gt;&lt;span class="err"&gt;→&lt;/span&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="err"&gt;What&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;is&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;being&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;allowed.&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"ec2:*"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;means&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;every&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;EC&lt;/span&gt;&lt;span class="mi"&gt;2&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;action&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;—&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;all&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;of&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;them.&lt;/span&gt;&lt;span class="w"&gt;

&lt;/span&gt;&lt;span class="s2"&gt;"Resource"&lt;/span&gt;&lt;span class="w"&gt;   &lt;/span&gt;&lt;span class="err"&gt;→&lt;/span&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="err"&gt;Which&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;specific&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;resources.&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"*"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;means&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;all&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;resources,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;no&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;restrictions.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;So &lt;code&gt;AmazonEC2FullAccess&lt;/code&gt; in plain English says:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;"Allow everything EC2 can do, on every resource, with no conditions."&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;That's powerful. Too powerful for a junior developer.&lt;/p&gt;




&lt;h2&gt;
  
  
  🛠️ Step-by-Step: Creating a Custom Policy
&lt;/h2&gt;

&lt;p&gt;Let's create a policy called &lt;code&gt;PixelSpoon-Developer-EC2&lt;/code&gt; that gives Aarav only what he actually needs day-to-day:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;View all instances ✅&lt;/li&gt;
&lt;li&gt;Start and stop instances ✅&lt;/li&gt;
&lt;li&gt;Connect to instances ✅&lt;/li&gt;
&lt;li&gt;Terminate instances ❌ (too destructive — requires deliberate action)&lt;/li&gt;
&lt;li&gt;Modify security groups ❌ (that's Rohit's job)&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;strong&gt;Step 1 — Open IAM → Policies&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Search &lt;code&gt;IAM&lt;/code&gt; in the console → left sidebar → &lt;strong&gt;Policies&lt;/strong&gt; → orange &lt;strong&gt;Create policy&lt;/strong&gt; button.&lt;/p&gt;

&lt;h2&gt;
  
  
  &lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fh43yepwjtqeo3jg9vp4u.png" alt="alt text" width="800" height="450"&gt;
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Step 2 — Switch to the JSON Editor&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;At the top of the policy editor, click the &lt;strong&gt;JSON&lt;/strong&gt; tab.&lt;/p&gt;

&lt;p&gt;Clear what's there and paste in this custom policy:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"Version"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"2012-10-17"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"Statement"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"Effect"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"Allow"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"Action"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="s2"&gt;"ec2:Describe*"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="s2"&gt;"ec2:StartInstances"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="s2"&gt;"ec2:StopInstances"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="s2"&gt;"ec2:GetConsoleOutput"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="s2"&gt;"ec2-instance-connect:SendSSHPublicKey"&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"Resource"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"*"&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;What each action does:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;ec2:Describe*                        →  View/list any EC2 resource (instances, AMIs, etc.)
ec2:StartInstances                   →  Power on a stopped instance
ec2:StopInstances                    →  Power off a running instance
ec2:GetConsoleOutput                 →  Read the instance's console log for debugging
ec2-instance-connect:SendSSHPublicKey →  Connect via browser-based EC2 Instance Connect
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;blockquote&gt;
&lt;p&gt;💡 Notice &lt;code&gt;ec2-instance-connect&lt;/code&gt; is a &lt;strong&gt;separate service prefix&lt;/strong&gt; from &lt;code&gt;ec2&lt;/code&gt; — it's easy to assume it lives under &lt;code&gt;ec2:&lt;/code&gt; but AWS treats Instance Connect as its own service in IAM. This is a common mistake that causes "access denied" errors even when EC2 permissions look correct.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Notice what's &lt;strong&gt;not&lt;/strong&gt; in the list — &lt;code&gt;ec2:TerminateInstances&lt;/code&gt;, &lt;code&gt;ec2:AuthorizeSecurityGroupIngress&lt;/code&gt;, &lt;code&gt;ec2:DeleteSnapshot&lt;/code&gt;. Aarav simply can't do those things, even accidentally.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fuywmk0t2hidlagks0ed9.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fuywmk0t2hidlagks0ed9.png" alt="AWS IAM create policy JSON editor console screenshot" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Click &lt;strong&gt;Next&lt;/strong&gt;.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 3 — Name and Describe the Policy&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Policy name:   PixelSpoon-Developer-EC2
Description:   EC2 access for Pixel and Spoon developers. View, start, stop, and connect only. No termination or security group modifications.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;A good description matters — six months from now, you or someone else will look at this policy and need to understand what it does without decoding the JSON.&lt;/p&gt;

&lt;p&gt;Click &lt;strong&gt;Create policy&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fi40r4kwqfwtm2nqtimox.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fi40r4kwqfwtm2nqtimox.png" alt="AWS IAM policy review create name screenshot" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  🔁 Attach the New Policy to the Developers Group
&lt;/h2&gt;

&lt;p&gt;Now let's swap out &lt;code&gt;AmazonEC2FullAccess&lt;/code&gt; from the Developers group and replace it with our tighter custom policy.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 1&lt;/strong&gt; — Go to IAM → &lt;strong&gt;User groups&lt;/strong&gt; → click &lt;strong&gt;Developers&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 2&lt;/strong&gt; — Click the &lt;strong&gt;Permissions&lt;/strong&gt; tab → click on the check box next to &lt;code&gt;AmazonEC2FullAccess&lt;/code&gt; and click &lt;code&gt;Remove&lt;/code&gt; to remove it.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fx1gc44pahzqcaha2ocw6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fx1gc44pahzqcaha2ocw6.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 3&lt;/strong&gt; — Click &lt;strong&gt;Add permissions&lt;/strong&gt; → &lt;strong&gt;Attach policies&lt;/strong&gt; → search for &lt;code&gt;PixelSpoon-Developer-EC2&lt;/code&gt; → tick it → click &lt;strong&gt;Attach policies&lt;/strong&gt;.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Or you can filter by type &lt;strong&gt;Customer managed&lt;/strong&gt; policies to find it faster.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fgrl4apf1rukz0n6fu7za.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fgrl4apf1rukz0n6fu7za.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Done. Aarav now has exactly what he needs — and nothing that could cause an incident at 2am.&lt;/p&gt;




&lt;h2&gt;
  
  
  🧠 AWS Managed vs Customer Managed — When to Use Which
&lt;/h2&gt;

&lt;p&gt;Now that you've written one custom policy, here's a simple rule of thumb:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;AWS Managed Policies
     ✅ Great for getting started quickly
     ✅ Maintained and updated by AWS
     ❌ Often broader than you actually need
     Use for: prototypes, personal learning, non-critical access

Customer Managed Policies
     ✅ Exactly the permissions you define
     ✅ Reusable across users, groups, and roles
     ✅ Auditable — you know exactly what's allowed
     ❌ Takes more time to write and maintain
     Use for: real teams, production environments, sensitive roles
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;At Pixel &amp;amp; Spoon, we'll keep &lt;code&gt;AdministratorAccess&lt;/code&gt; on Rohit's Admins group for now — he's the only one in it and he genuinely needs broad access. But as the company grows, even that will get tightened.&lt;/p&gt;




&lt;h2&gt;
  
  
  🛠️ Try It Yourself
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;🛠️ Task: Write a read-only policy for Divya

Pixel &amp;amp; Spoon just brought on Divya as a data analytics intern.
She needs to VIEW EC2 instances and S3 buckets — but touch nothing.

Goal: Create a custom policy called PixelSpoon-Intern-ReadOnly
that allows only Describe/List/Get actions on EC2 and S3.

Hints:
- ec2:Describe* covers all EC2 viewing actions
- s3:GetObject, s3:ListBucket cover S3 read access
- Effect should be "Allow" on both
- Resource: "*" is fine for now

Then create an IAM user "divya-intern" and attach this policy directly
- remember to ad MFA
(she's temporary, so no group needed).
This is where IAM Role would be better, but we'll cover that in the next chapter.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;/p&gt;
  Click to reveal the answer
  &lt;br&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"Version"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"2012-10-17"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"Statement"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
            &lt;/span&gt;&lt;span class="nl"&gt;"Sid"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"VisualEditor0"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
            &lt;/span&gt;&lt;span class="nl"&gt;"Effect"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"Allow"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
            &lt;/span&gt;&lt;span class="nl"&gt;"Action"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="w"&gt;
                &lt;/span&gt;&lt;span class="s2"&gt;"s3:GetObject"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
                &lt;/span&gt;&lt;span class="s2"&gt;"ec2:Describe*"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
                &lt;/span&gt;&lt;span class="s2"&gt;"s3:ListBucket"&lt;/span&gt;&lt;span class="w"&gt;
            &lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;&lt;span class="w"&gt;
            &lt;/span&gt;&lt;span class="nl"&gt;"Resource"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"*"&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;




&lt;p&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ffahp0okaqd9ni1q9iilp.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ffahp0okaqd9ni1q9iilp.png" alt="New IAM User list should look like this" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  🗺️ Continue the Hands-On Series
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Ch 4.1&lt;/strong&gt; — ✅ Creating IAM Users&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 4.2&lt;/strong&gt; — ✅ Creating and Managing IAM Groups&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 4.3&lt;/strong&gt; — ✅ Writing and Attaching IAM Policies &lt;em&gt;(you are here)&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 4.4&lt;/strong&gt; — Creating IAM Roles: Human &amp;amp; Service&lt;/p&gt;

&lt;p&gt;Next up — Karthik the auditor needs temporary access to Pixel &amp;amp; Spoon's AWS account. And the CI/CD bot needs to deploy code automatically without a human logging in. Both of these need Roles — not users, not groups.&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;&lt;a href="https://dev.toLINK"&gt;Chapter 4.4: Creating IAM Roles → (Read it here)&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Resources I'm learning from:&lt;/em&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://roadmap.sh/aws" rel="noopener noreferrer"&gt;roadmap.sh/aws&lt;/a&gt; — my learning roadmap&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://docs.aws.amazon.com/whitepapers/latest/aws-overview/introduction.html" rel="noopener noreferrer"&gt;AWS Official Overview Whitepaper&lt;/a&gt; — straight from the source&lt;/em&gt;&lt;/li&gt;
&lt;/ul&gt;




</description>
      <category>aws</category>
      <category>cloud</category>
      <category>iam</category>
      <category>handson</category>
    </item>
    <item>
      <title>Pixel &amp; Spoon Hands-On: Creating and Managing IAM Groups 👥</title>
      <dc:creator>Soumya Ranjan 🎖️</dc:creator>
      <pubDate>Thu, 02 Jul 2026 04:01:41 +0000</pubDate>
      <link>https://dev.to/srsoumyax11/pixel-spoon-hands-on-creating-and-managing-iam-groups-3179</link>
      <guid>https://dev.to/srsoumyax11/pixel-spoon-hands-on-creating-and-managing-iam-groups-3179</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Chapter 4.2 — Hands-on companion to Chapter 4: IAM: The Gatekeeper of AWS. In the last post, we gave Aarav, Meera, and Rohit their own IAM users. Today we fix the messy part — permissions managed properly through groups.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  Where We Left Off
&lt;/h2&gt;

&lt;p&gt;In Chapter 4.1, we created three IAM users for Pixel &amp;amp; Spoon's team:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;aarav-dev&lt;/code&gt; — backend developer&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;meera-design&lt;/code&gt; — UI designer&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;rohit-devops&lt;/code&gt; — DevOps engineer&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;We attached policies directly to each user — which worked, but it's not how real teams manage access.&lt;/p&gt;

&lt;p&gt;Here's why that approach breaks quickly.&lt;/p&gt;

&lt;p&gt;Next month, Pixel &amp;amp; Spoon hires a second backend developer. You'd have to remember exactly which policies Aarav has, then manually replicate them on the new hire. Then again for the third. Then again when you decide all developers need an extra permission — and now you have to update every single developer's user one by one.&lt;/p&gt;

&lt;p&gt;That's not scalable. That's not even fun.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;IAM Groups&lt;/strong&gt; fix this completely.&lt;/p&gt;




&lt;h2&gt;
  
  
  🗂️ The Idea in One Sentence
&lt;/h2&gt;

&lt;p&gt;Instead of managing permissions per person — manage them per role.&lt;/p&gt;

&lt;p&gt;Create a &lt;strong&gt;Developers&lt;/strong&gt; group. Attach the right policies to it. Add Aarav to it. Done. When the second developer joins, just add them to the same group — they instantly have identical access, zero extra config.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;❌ Without Groups

   aarav-dev       →   EC2FullAccess (manually attached)
   new-developer   →   EC2FullAccess (manually remembered and attached)
   another-dev     →   EC2FullAccess (manually attached again...)

✅ With Groups

   Developers Group  →  EC2FullAccess (attached once)
        │
        ├── aarav-dev         (inherits automatically)
        ├── new-developer     (inherits automatically)
        └── another-dev       (inherits automatically)
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;One policy. One place to update. Everyone in the group stays in sync.&lt;/p&gt;




&lt;h2&gt;
  
  
  🛠️ Step-by-Step: Creating the Developers Group
&lt;/h2&gt;

&lt;p&gt;We'll create three groups for Pixel &amp;amp; Spoon — Developers, Designers, and Admins. Let's do Developers first and walk through it fully.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 1 — Open IAM&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;In the AWS Console search bar, type &lt;code&gt;IAM&lt;/code&gt; and open the IAM Dashboard.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 2 — Go to User Groups&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;On the left sidebar, click &lt;strong&gt;User groups&lt;/strong&gt; — not "Users." It's just below it.&lt;/p&gt;

&lt;p&gt;Click the orange &lt;strong&gt;Create group&lt;/strong&gt; button.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F5oylhydfar4s0zo9hi7f.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F5oylhydfar4s0zo9hi7f.png" alt="IAM User Group" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 3 — Name the Group&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;For the group name, use:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Developers
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Keep names simple, role-based, and capitalised for clarity. You'll thank yourself when you have 10 groups and need to scan through them quickly.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 4 — Add Users to the Group&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Scroll down to the &lt;strong&gt;"Add users to the group"&lt;/strong&gt; section. You'll see a list of your existing IAM users.&lt;/p&gt;

&lt;p&gt;Tick the checkbox next to &lt;strong&gt;aarav-dev&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;That's it for now — we'll add future developers here too when they join.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F5800u7f3ibewhta21kb6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F5800u7f3ibewhta21kb6.png" alt=" " width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 5 — Attach a Permission Policy&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Scroll further down to &lt;strong&gt;"Attach permissions policies"&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Search for:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;AmazonEC2FullAccess
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Tick it. This gives every member of the Developers group full access to EC2 — exactly what Aarav needs to build Pixel &amp;amp; Spoon's ordering backend.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;💡 We're using &lt;code&gt;AmazonEC2FullAccess&lt;/code&gt; for now because it's a clean AWS-managed policy that matches what Aarav's role requires at this stage. In Chapter 4.3, we'll look at writing tighter, custom policies when the default ones are too broad.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Click &lt;strong&gt;Create group&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fg7bgq9hgk4bxwvmvzqtx.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fg7bgq9hgk4bxwvmvzqtx.png" alt="AWS IAM create group attach policy console screenshot" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  🔁 Now Create the Other Two Groups
&lt;/h2&gt;

&lt;p&gt;The process is identical — just different names, users, and policies.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Designers Group&lt;/strong&gt;&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Field&lt;/th&gt;
&lt;th&gt;Value&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Group name&lt;/td&gt;
&lt;td&gt;&lt;code&gt;Designers&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Add user&lt;/td&gt;
&lt;td&gt;&lt;code&gt;meera-design&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Attach policy&lt;/td&gt;
&lt;td&gt;&lt;code&gt;AmazonS3FullAccess&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Meera needs S3 access to upload Pixel &amp;amp; Spoon's website assets, images, and frontend files. Nothing else.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Admins Group&lt;/strong&gt;&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Field&lt;/th&gt;
&lt;th&gt;Value&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Group name&lt;/td&gt;
&lt;td&gt;&lt;code&gt;Admins&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Add user&lt;/td&gt;
&lt;td&gt;&lt;code&gt;rohit-devops&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Attach policy&lt;/td&gt;
&lt;td&gt;&lt;code&gt;AdministratorAccess&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Rohit is DevOps — he needs broad infrastructure access to keep everything running. &lt;code&gt;AdministratorAccess&lt;/code&gt; is the most powerful AWS-managed policy. Treat group membership carefully here — only people who genuinely need full access belong in Admins.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F75gkw0gpn1960f657107.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F75gkw0gpn1960f657107.png" alt="AWS IAM user groups list page screenshot" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  🧹 Clean Up: Remove the Old Direct Policies
&lt;/h2&gt;

&lt;p&gt;Remember in Chapter 4.1 we attached policies directly to each user as a temporary workaround?&lt;/p&gt;

&lt;p&gt;Now that groups exist, those direct attachments are redundant — and having both can cause confusion later. Let's remove them.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 1&lt;/strong&gt; — In IAM, go to &lt;strong&gt;Users&lt;/strong&gt; → click &lt;code&gt;aarav-dev&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 2&lt;/strong&gt; — Click the &lt;strong&gt;Permissions&lt;/strong&gt; tab. You'll see both the directly attached &lt;code&gt;AmazonEC2FullAccess&lt;/code&gt; policy and the group-inherited one.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 3&lt;/strong&gt; — Click the &lt;strong&gt;X&lt;/strong&gt; next to the directly attached policy to remove it.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;If you donnt see the [x] button next to the directly attached, Remove the &lt;code&gt;AmazonEC2FullAccess&lt;/code&gt; completly and then add the user again to the Developers Group. &lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Aarav still has EC2 access — now cleanly inherited from the Developers group, not attached twice.&lt;/p&gt;

&lt;p&gt;Repeat for &lt;code&gt;meera-design&lt;/code&gt; (remove direct S3 policy) and &lt;code&gt;rohit-devops&lt;/code&gt; (remove direct AdministratorAccess).&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fmsslwfwz2lhz6vi2qjum.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fmsslwfwz2lhz6vi2qjum.png" alt="AWS IAM user permissions tab remove policy screenshot" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  ✅ What Pixel &amp;amp; Spoon Looks Like Now
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;🏢 Pixel &amp;amp; Spoon — AWS Account

👥 Developers Group   →  AmazonEC2FullAccess
        └── aarav-dev

👥 Designers Group    →  AmazonS3FullAccess
        └── meera-design

👥 Admins Group       →  AdministratorAccess
        └── rohit-devops

🔒 Root account       →  Locked away with MFA
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Clean. Organised. Scalable.&lt;/p&gt;

&lt;p&gt;When Pixel &amp;amp; Spoon hires its next backend developer, you open the Developers group, add their user, and walk away. They have exactly the right access in under 30 seconds.&lt;/p&gt;

&lt;p&gt;When you need all developers to also access Lambda (which we'll need later in the series), you add the Lambda policy to the Developers group once — and every developer gets it instantly.&lt;/p&gt;

&lt;p&gt;That's the power of managing permissions through groups.&lt;/p&gt;

&lt;blockquote&gt;
&lt;h3&gt;
  
  
  🛠️ Try It Yourself: Create a new user and add them to a group
&lt;/h3&gt;
&lt;/blockquote&gt;

&lt;p&gt;Task: Pixel &amp;amp; Spoon just hired a second backend developer — Subham.&lt;br&gt;
Goal: Create his IAM user and add him to the Developers group.&lt;/p&gt;

&lt;p&gt;Steps:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;Go to IAM → Users → Create user&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Username: subham-dev&lt;/li&gt;
&lt;li&gt;Enable console access&lt;/li&gt;
&lt;li&gt;Custom password + force reset on first login&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;p&gt;On the permissions screen → Add user to group → select "Developers"&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Click Create user and save his sign-in details&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;✅ Done! Subham now has EC2 access automatically — no extra policy needed.&lt;/p&gt;




&lt;h2&gt;
  
  
  🗺️ Continue the Hands-On Series
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;4.1&lt;/strong&gt; — ✅ Creating IAM Users&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;4.2&lt;/strong&gt; — ✅ Creating and Managing IAM Groups &lt;em&gt;(you are here)&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;4.3&lt;/strong&gt; — Writing and Attaching IAM Policies&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;4.4&lt;/strong&gt; — Creating IAM Roles: Human &amp;amp; Service&lt;/p&gt;

&lt;p&gt;Next up — the policies we've been attaching are all AWS-managed defaults. In Chapter 4.3, we look under the hood at what those policies actually say, and write a simple custom one that gives Aarav exactly what he needs — and nothing more.&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;&lt;a href="https://dev.toLINK"&gt;Chapter 4.3: Writing and Attaching IAM Policies → (Read it here)&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Resources I'm learning from:&lt;/em&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://roadmap.sh/aws" rel="noopener noreferrer"&gt;roadmap.sh/aws&lt;/a&gt; — my learning roadmap&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://docs.aws.amazon.com/whitepapers/latest/aws-overview/introduction.html" rel="noopener noreferrer"&gt;AWS Official Overview Whitepaper&lt;/a&gt; — straight from the source&lt;/em&gt;&lt;/li&gt;
&lt;/ul&gt;




</description>
      <category>aws</category>
      <category>cloud</category>
      <category>iam</category>
      <category>handson</category>
    </item>
    <item>
      <title>Pixel &amp; Spoon Hands-On: Creating Your First IAM User 👤</title>
      <dc:creator>Soumya Ranjan 🎖️</dc:creator>
      <pubDate>Thu, 02 Jul 2026 02:39:11 +0000</pubDate>
      <link>https://dev.to/srsoumyax11/pixel-spoon-hands-on-creating-your-first-iam-user-2lg3</link>
      <guid>https://dev.to/srsoumyax11/pixel-spoon-hands-on-creating-your-first-iam-user-2lg3</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;A hands-on companion to Chapter 4 — IAM: The Gatekeeper of AWS. Today, we create Aarav's login so he can finally get to work.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  Quick Recap
&lt;/h2&gt;

&lt;p&gt;In Chapter 4, we talked about why Pixel &amp;amp; Spoon can't hand out the root password to every team member.&lt;/p&gt;

&lt;p&gt;Aarav, our backend developer, needs his own identity inside AWS — his own login, his own permissions, his own activity trail.&lt;/p&gt;

&lt;p&gt;That's an &lt;strong&gt;IAM user&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Let's create his.&lt;/p&gt;




&lt;h2&gt;
  
  
  ⚠️ Before You Start
&lt;/h2&gt;

&lt;p&gt;Log in to AWS using your &lt;strong&gt;root account&lt;/strong&gt; for this one time only. Creating users is exactly the kind of task root should still handle, until you've created an admin IAM user for yourself later in this series.&lt;/p&gt;




&lt;h2&gt;
  
  
  🛠️ Step-by-Step: Creating Aarav's IAM User
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Step 1 — Open IAM&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;In the AWS Console search bar at the top, type &lt;code&gt;IAM&lt;/code&gt; and click on it. This opens the IAM Dashboard.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fv3yanix4sy9ie9yq1ldf.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fv3yanix4sy9ie9yq1ldf.png" alt="Dashboard With Iam search" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 2 — Go to Users&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;On the left-hand sidebar, click &lt;strong&gt;IAM Users&lt;/strong&gt;.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fh1332qvfrtaaqltqndim.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fh1332qvfrtaaqltqndim.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Click the orange &lt;strong&gt;Create user&lt;/strong&gt; button in the top right.&lt;/p&gt;
&lt;h2&gt;
  
  
  &lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fcet195174zvunsp6i9x3.png" alt="Create User" width="800" height="450"&gt;
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Step 3 — Enter User Details&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;For the username, use something clear and consistent. For Aarav, we'll use:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;aarav-dev
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;A good convention is &lt;code&gt;firstname-role&lt;/code&gt; or &lt;code&gt;firstname.lastname&lt;/code&gt; — pick one and stick with it across your whole team, it'll make managing users much easier later.&lt;/p&gt;

&lt;p&gt;Check the box for &lt;strong&gt;"Provide user access to the AWS Management Console"&lt;/strong&gt; — Aarav needs to log in and use the console himself.&lt;/p&gt;

&lt;p&gt;You'll then be asked how he should sign in. Choose &lt;strong&gt;"I want to create an IAM user"&lt;/strong&gt;, then select &lt;strong&gt;"Custom password"&lt;/strong&gt; and set a temporary one. Tick &lt;strong&gt;"User must create a new password at next sign-in"&lt;/strong&gt; — this way, Aarav sets his own password the first time he logs in, and you never actually know his real one.&lt;/p&gt;

&lt;p&gt;Click &lt;strong&gt;Next&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fkz6dyefvxxzx7wxwll8q.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fkz6dyefvxxzx7wxwll8q.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 4 — Set Permissions&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;This is the important part.&lt;/p&gt;

&lt;p&gt;You'll see three options:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;○ Add user to group        ← Recommended (we'll set this up in Ch 4.2)
○ Copy permissions          ← Copies from an existing user
○ Attach policies directly  ← Manual, one-off permissions
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Since we haven't created the Developers group yet (that's the very next post in this series), for now select &lt;strong&gt;"Attach policies directly"&lt;/strong&gt; and search for:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;AmazonEC2FullAccess
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This gives Aarav exactly what he needs right now — the ability to launch and manage EC2 instances. Nothing more.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fcur36v3set36phmgwyzn.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fcur36v3set36phmgwyzn.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;💡 In Chapter 4.2, we'll create a proper "Developers" group and move Aarav into it instead — so you're not managing his permissions individually forever. This step is just to get him working today.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Click &lt;strong&gt;Next&lt;/strong&gt;.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 5 — Review and Create&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;You'll see a summary: username, console access enabled, and the policy attached.&lt;/p&gt;

&lt;p&gt;Double check everything looks right, then click &lt;strong&gt;Create user&lt;/strong&gt;.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Step 6 — Save His Sign-In Details&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;AWS will now show you a success screen with:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The console sign-in URL&lt;/li&gt;
&lt;li&gt;Aarav's username&lt;/li&gt;
&lt;li&gt;His temporary password&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;This password is shown only once.&lt;/strong&gt; Download the &lt;code&gt;.csv&lt;/code&gt; file or copy these details immediately and share them with Aarav through a secure channel — never over email or chat in plain text.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fqjbj88klwhqv5a3c1rtf.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fqjbj88klwhqv5a3c1rtf.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;🔗 Sign-in URL:  https://[your-account-id].signin.aws.amazon.com/console
👤 Username:     aarav-dev
🔑 Temp Password: [shown once — save it now]
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  ✅ What Just Happened
&lt;/h2&gt;

&lt;p&gt;Aarav now has his own identity inside Pixel &amp;amp; Spoon's AWS account.&lt;/p&gt;

&lt;p&gt;He can log in independently, using his own credentials. He has exactly the permission he needs — EC2 access — and nothing else. His actions inside AWS are now tracked under his own name, not the root account.&lt;/p&gt;

&lt;p&gt;Repeat this exact process for Meera and Rohit — just give them appropriate temporary policies for now (we'll clean this up properly with groups next):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Meera&lt;/strong&gt; → username &lt;code&gt;meera-design&lt;/code&gt; → attach &lt;code&gt;AmazonS3FullAccess&lt;/code&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fiqnt6tmx93s9c40arbm8.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fiqnt6tmx93s9c40arbm8.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Rohit&lt;/strong&gt; → username &lt;code&gt;rohit-devops&lt;/code&gt; → attach &lt;code&gt;AdministratorAccess&lt;/code&gt; (he's DevOps, he needs broad access)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fqlnv6dscselmpihc4f9e.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fqlnv6dscselmpihc4f9e.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  🔒 One More Thing — Enable MFA for Every User
&lt;/h2&gt;

&lt;p&gt;Just like we did for the root account in Chapter 4, every IAM user with real access should have MFA enabled too.&lt;/p&gt;

&lt;p&gt;Click on the user → &lt;strong&gt;Security credentials&lt;/strong&gt; tab → &lt;strong&gt;Assign MFA device&lt;/strong&gt;, and follow the same authenticator app process from Chapter 4.&lt;/p&gt;

&lt;p&gt;Do this for Aarav, Meera, and Rohit now. Five minutes per person, and it closes one of the biggest security gaps a growing team can have.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fajoya3ynqzulcity547c.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fajoya3ynqzulcity547c.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  🗺️ Continue the Hands-On Series
&lt;/h2&gt;

&lt;p&gt;This is the first of four hands-on companion posts for Chapter 4:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;4.1&lt;/strong&gt; — ✅ Creating IAM Users &lt;em&gt;(you are here)&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;4.2&lt;/strong&gt; — Creating and Managing IAM Groups&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;4.3&lt;/strong&gt; — Writing and Attaching IAM Policies&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;4.4&lt;/strong&gt; — Creating IAM Roles (Human &amp;amp; Service)&lt;/p&gt;

&lt;p&gt;Next up — we fix that "attach policies directly" workaround properly by creating real Groups for Pixel &amp;amp; Spoon's team.&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;&lt;a href="https://dev.toLINK"&gt;Chapter 4.2: Creating and Managing IAM Groups → (Read it here)&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Resources I'm learning from:&lt;/em&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://roadmap.sh/aws" rel="noopener noreferrer"&gt;roadmap.sh/aws&lt;/a&gt; — my learning roadmap&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://docs.aws.amazon.com/whitepapers/latest/aws-overview/introduction.html" rel="noopener noreferrer"&gt;AWS Official Overview Whitepaper&lt;/a&gt; — straight from the source&lt;/em&gt;&lt;/li&gt;
&lt;/ul&gt;




</description>
      <category>aws</category>
      <category>cloud</category>
      <category>tutorial</category>
      <category>beginners</category>
    </item>
    <item>
      <title>IAM: The Gatekeeper of AWS 🔐</title>
      <dc:creator>Soumya Ranjan 🎖️</dc:creator>
      <pubDate>Wed, 01 Jul 2026 07:09:58 +0000</pubDate>
      <link>https://dev.to/srsoumyax11/iam-the-gatekeeper-of-aws-111b</link>
      <guid>https://dev.to/srsoumyax11/iam-the-gatekeeper-of-aws-111b</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Chapter 4 of the AWS Learning Journey. Meet Pixel &amp;amp; Spoon — the startup we'll be building alongside for the rest of this series. Today, we secure their AWS account before anything else gets built.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  Meet Pixel &amp;amp; Spoon 🍱
&lt;/h2&gt;

&lt;p&gt;Remember the food app idea from Chapter 0?&lt;/p&gt;

&lt;p&gt;Let's actually build it.&lt;/p&gt;

&lt;p&gt;Say hello to &lt;strong&gt;Pixel &amp;amp; Spoon&lt;/strong&gt; — a small food-delivery startup. Order home-cooked meals from local cooks, delivered to your door. You're the founder.&lt;/p&gt;

&lt;p&gt;It's early days. Right now it's just you and your AWS account, fresh out of Chapter 3, fully set up, billing alert active.&lt;/p&gt;

&lt;p&gt;But you're about to hire your first team.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Aarav&lt;/strong&gt; joins as your backend developer — he'll build the ordering system.&lt;br&gt;
&lt;strong&gt;Meera&lt;/strong&gt; joins as your UI designer — she'll build the website people see.&lt;br&gt;
&lt;strong&gt;Rohit&lt;/strong&gt; joins as your DevOps engineer — he'll keep the servers running.&lt;/p&gt;

&lt;p&gt;It's day one. Everyone needs access to AWS to do their jobs.&lt;/p&gt;

&lt;p&gt;So... what do you do?&lt;/p&gt;

&lt;p&gt;Hand them your root account password?&lt;/p&gt;

&lt;p&gt;Let's talk about why that would be a terrible idea.&lt;/p&gt;


&lt;h2&gt;
  
  
  🗝️ The Master Key Problem
&lt;/h2&gt;

&lt;p&gt;Your root account — the one you created in Chapter 3 — isn't just powerful. It's &lt;strong&gt;all-powerful&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;It can launch servers. Delete servers. Change billing. Close the entire AWS account. Access every single service, every single resource, with zero restrictions.&lt;/p&gt;

&lt;p&gt;Now imagine giving that same password to Aarav, Meera, and Rohit.&lt;/p&gt;

&lt;p&gt;Aarav only needs to write code and launch servers. But now he can also delete your billing information.&lt;/p&gt;

&lt;p&gt;Meera only needs to upload images. But now she can also shut down the database.&lt;/p&gt;

&lt;p&gt;If any one of their laptops gets compromised, or any one of them accidentally clicks the wrong button — your entire company's infrastructure is at risk.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;🗝️  Root Account = Master Key

   Opens: Every door. Every room. The vault. The server room.
          The CEO's office. Everything.

   Given to: Everyone on the team, "just to be safe"

   Result: One mistake, one stolen laptop, one phishing email —
            and the entire building is compromised
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This is exactly why companies don't run on root accounts.&lt;/p&gt;

&lt;p&gt;This is exactly why &lt;strong&gt;IAM&lt;/strong&gt; exists.&lt;/p&gt;




&lt;h2&gt;
  
  
  🛡️ What Is IAM?
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;IAM&lt;/strong&gt; stands for &lt;strong&gt;Identity and Access Management&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Think of it as the security desk at Pixel &amp;amp; Spoon's office building.&lt;/p&gt;

&lt;p&gt;Nobody walks straight into the server room. Everyone checks in at the front desk first. They get an ID badge. That badge only opens the doors they're actually supposed to access.&lt;/p&gt;

&lt;p&gt;The marketing intern's badge doesn't open the server room.&lt;br&gt;
The developer's badge doesn't open the finance office.&lt;br&gt;
The cleaning staff's badge works after hours, but only for common areas.&lt;/p&gt;

&lt;p&gt;That's IAM, in one sentence: &lt;strong&gt;it controls who can do what inside your AWS account.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fu207bhyhmdxd9d3b2dtz.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fu207bhyhmdxd9d3b2dtz.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Instead of handing out the master key, you create separate identities — one for each person — with only the access they actually need to do their job.&lt;/p&gt;


&lt;h2&gt;
  
  
  👤 IAM Users — Giving Everyone Their Own Badge
&lt;/h2&gt;

&lt;p&gt;The first thing you do as Pixel &amp;amp; Spoon's founder is create &lt;strong&gt;IAM users&lt;/strong&gt; for your team.&lt;/p&gt;

&lt;p&gt;An IAM user is an identity inside your AWS account — their own username, their own password, their own access keys if they need programmatic access.&lt;/p&gt;

&lt;p&gt;You create one for Aarav. One for Meera. One for Rohit.&lt;/p&gt;

&lt;p&gt;Each one logs in separately. Each one's actions are tracked separately. If something goes wrong, you know exactly whose badge was used.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;🏢  Pixel &amp;amp; Spoon's AWS Account

     👤 Aarav    →  IAM user "aarav-dev"
     👤 Meera    →  IAM user "meera-design"
     👤 Rohit    →  IAM user "rohit-devops"

     🔒 Root account →  Locked away, used only in emergencies
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This alone is a massive security improvement. But we're not done — because creating three separate users with three separate sets of permissions, one by one, doesn't scale. What happens when Pixel &amp;amp; Spoon hires a second developer next month?&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;a href="https://dev.to/srsoumyax11/pixel-spoon-hands-on-creating-your-first-iam-user-2lg3"&gt;🛠️ Hands-on: Ready to actually create Aarav's, Meera's, and Rohit's IAM users? Follow along in Chapter 4.1 — Creating Your First IAM Users (Step by Step)&lt;/a&gt;&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  👥 IAM Groups — Badges That Come in Batches
&lt;/h2&gt;

&lt;p&gt;This is where &lt;strong&gt;Groups&lt;/strong&gt; come in.&lt;/p&gt;

&lt;p&gt;Instead of configuring permissions individually for every person, you create a group — say, "Developers" — set the permissions once, and add people to it.&lt;/p&gt;

&lt;p&gt;Aarav joins the Developers group. He instantly gets exactly the access a developer needs — EC2, Lambda, and related services.&lt;/p&gt;

&lt;p&gt;Next month, Pixel &amp;amp; Spoon hires a second backend developer. You add them to the same Developers group. Done. Same permissions, zero extra configuration.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;👥  Developers Group
     Permissions: EC2 (launch/manage servers), Lambda (deploy functions)
     Members: Aarav, [future developer hire]

👥  Designers Group
     Permissions: S3 (upload assets), Amplify (deploy frontend)
     Members: Meera

👥  Admins Group
     Permissions: Full infrastructure access
     Members: Rohit
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Groups are how real companies manage access at scale. You're not thinking "what does this one person need" every time — you're thinking "what does this &lt;em&gt;role&lt;/em&gt; need," and people simply join the group that matches their role.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;a href="https://dev.to/srsoumyax11/pixel-spoon-hands-on-creating-and-managing-iam-groups-3179"&gt;🛠️ Hands-on: Want to set up the Developers, Designers, and Admins groups for real? That's covered in Chapter 4.2 — Creating and Managing IAM Groups.&lt;/a&gt;&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  📜 IAM Policies — The Actual Rulebook
&lt;/h2&gt;

&lt;p&gt;So far we've said things like "Aarav gets EC2 access" — but how does AWS actually know what that means?&lt;/p&gt;

&lt;p&gt;That's what a &lt;strong&gt;Policy&lt;/strong&gt; is.&lt;/p&gt;

&lt;p&gt;A policy is a document — written in JSON — that explicitly states what's allowed and what's denied. Every permission in IAM ultimately comes down to a policy attached to a user, a group, or a role.&lt;/p&gt;

&lt;p&gt;Here's a simplified look at what a policy for the Developers group might say:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"Effect"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"Allow"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"Action"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="s2"&gt;"ec2:StartInstances"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="s2"&gt;"ec2:StopInstances"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="s2"&gt;"ec2:DescribeInstances"&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"Resource"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"*"&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;In plain English: &lt;em&gt;"Allow this group to start, stop, and view EC2 instances. Nothing else."&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Aarav can launch and manage servers. He cannot touch billing. He cannot delete IAM users. He cannot access Meera's S3 buckets unless explicitly permitted.&lt;/p&gt;

&lt;p&gt;AWS also provides ready-made policies for common roles — so you rarely write these from scratch as a beginner. But understanding that every permission traces back to a policy document is what makes IAM click.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;a href="https://dev.to/srsoumyax11/pixel-spoon-hands-on-writing-and-attaching-iam-policies-2i62"&gt;🛠️ Hands-on: Curious how to attach a real policy — or write a simple custom one? Walk through it in Chapter 4.3 — Writing and Attaching IAM Policies.&lt;/a&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fjyx738gv0k89xdpffprd.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fjyx738gv0k89xdpffprd.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  🎫 IAM Roles — The Visitor Badge That Expires
&lt;/h2&gt;

&lt;p&gt;Now here's a trickier situation.&lt;/p&gt;

&lt;p&gt;Pixel &amp;amp; Spoon hires &lt;strong&gt;Karthik&lt;/strong&gt;, an external auditor, to review their AWS setup for a compliance check. He needs temporary access — just enough to look around, for just a few days.&lt;/p&gt;

&lt;p&gt;You wouldn't create a permanent IAM user for someone who'll never log in again after next week. That's a badge nobody remembers to deactivate, sitting around as a security risk months later.&lt;/p&gt;

&lt;p&gt;This is exactly what &lt;strong&gt;IAM Roles&lt;/strong&gt; are for.&lt;/p&gt;

&lt;p&gt;A role is temporary access — like a visitor badge at the front desk. It's issued when needed, has an expiry, and doesn't belong to any one permanent identity.&lt;/p&gt;

&lt;p&gt;Roles aren't just for humans, either.&lt;/p&gt;

&lt;p&gt;Pixel &amp;amp; Spoon also has a &lt;strong&gt;CI/CD bot&lt;/strong&gt; — an automated system that deploys new code every time Aarav pushes an update. It's not a person. It can't "log in" with a username and password. Instead, it assumes a role — temporary credentials that let it do exactly its job (deploy code) and nothing else, refreshed automatically each time it runs.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;🎫  IAM Role Examples at Pixel &amp;amp; Spoon

     Karthik (Auditor)  →  Temporary role, expires after 7 days
     CI/CD Bot          →  Service role, auto-refreshed credentials
     Rohit (on-call)    →  Can "assume" an emergency admin role
                            only during incidents, logged every time
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This is also how different AWS services talk to each other securely — an EC2 instance can assume a role that lets it read from an S3 bucket, without anyone hardcoding a password anywhere. We'll see this in action when we reach EC2 and S3 later in the series.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;a href="https://dev.to/srsoumyax11/pixel-spoon-hands-on-creating-iam-roles-2a3m"&gt;🛠️ Hands-on: See how to create a temporary role for someone like Karthik, or a service role for the CI/CD bot, in Chapter 4.4 — Creating IAM Roles (Human &amp;amp; Service).&lt;/a&gt;&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  🔒 MFA — Locking the Front Door Properly
&lt;/h2&gt;

&lt;p&gt;One more critical step before we move on.&lt;/p&gt;

&lt;p&gt;Even with IAM users and groups set up properly, your &lt;strong&gt;root account&lt;/strong&gt; still exists. And if someone gets your root password — through phishing, a data breach, or simple guessing — they have full control of Pixel &amp;amp; Spoon's entire AWS account.&lt;/p&gt;

&lt;p&gt;This is where &lt;strong&gt;Multi-Factor Authentication (MFA)&lt;/strong&gt; comes in.&lt;/p&gt;

&lt;p&gt;MFA means logging in requires two things: your password, and a temporary code generated by an app on your phone (like Google Authenticator or Authy). Even if someone steals your password, they can't get in without your physical phone too.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Setting up MFA on your root account — do this right now:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 1&lt;/strong&gt; — Log in to the AWS console with your root user.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 2&lt;/strong&gt; — Search for "IAM" in the top search bar and open it.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 3&lt;/strong&gt; — On the IAM dashboard, you'll see a security recommendation to "Add MFA for root user." Click it.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 4&lt;/strong&gt; — Choose "Authenticator app," scan the QR code with Google Authenticator or Authy, and enter the two consecutive codes it generates.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 5&lt;/strong&gt; — Done. Your root account now requires your phone to log in, not just a password.&lt;/p&gt;

&lt;p&gt;Do this for every IAM user too, especially anyone with elevated permissions — Rohit, in Pixel &amp;amp; Spoon's case, should absolutely have MFA enabled.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fo74qqc55mfsy5fu0nech.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fo74qqc55mfsy5fu0nech.png" alt="alt text" width="800" height="427"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  ☂️ The Shared Responsibility Model
&lt;/h2&gt;

&lt;p&gt;There's one more concept that ties everything in this chapter together — and it's one of the most commonly misunderstood ideas in cloud computing.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Who is actually responsible for security on AWS — Amazon, or you?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The answer is: &lt;strong&gt;both&lt;/strong&gt;. Just different parts.&lt;/p&gt;

&lt;p&gt;This is called the &lt;strong&gt;Shared Responsibility Model&lt;/strong&gt;.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;☁️  AWS is responsible for security OF the cloud:

     🏢  Physical data centers
     🔌  Networking infrastructure
     🖥️  The hardware running everything
     ⚡  Power, cooling, physical security of buildings

🧑‍💻  You are responsible for security IN the cloud:

     🔑  Who has access (IAM — this entire chapter)
     📂  How your data is configured and encrypted
     🔥  Firewall and security group rules
     🔓  Whether your S3 bucket is accidentally public
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;AWS will never accidentally leave your S3 bucket public. You might, if you misconfigure it.&lt;/p&gt;

&lt;p&gt;AWS will never let an unauthorized person walk into their data center. But if you give Aarav root access "just to make things easier," and his laptop gets compromised — that's on your side of the responsibility line.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F1g4488890vyvcslg2kw5.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F1g4488890vyvcslg2kw5.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This single idea — knowing where AWS's job ends and yours begins — is the foundation of every security decision you'll make for the rest of this series.&lt;/p&gt;




&lt;h2&gt;
  
  
  🧩 Where Pixel &amp;amp; Spoon Stands Now
&lt;/h2&gt;

&lt;p&gt;Let's recap what just happened at Pixel &amp;amp; Spoon.&lt;/p&gt;

&lt;p&gt;The root account is locked away with MFA, used only for emergencies.&lt;/p&gt;

&lt;p&gt;Aarav, Meera, and Rohit each have their own IAM user, grouped by role, with only the permissions their job actually requires.&lt;/p&gt;

&lt;p&gt;Karthik gets temporary, expiring access through a role — not a permanent login.&lt;/p&gt;

&lt;p&gt;The CI/CD bot deploys code automatically using a service role — no hardcoded passwords anywhere.&lt;/p&gt;

&lt;p&gt;And everyone on the team — including you, the founder — now understands exactly where AWS's responsibility ends and Pixel &amp;amp; Spoon's begins.&lt;/p&gt;

&lt;p&gt;This is the foundation every real AWS setup is built on. Skipping this chapter is how companies end up in security breach headlines.&lt;/p&gt;




&lt;h2&gt;
  
  
  🗺️ Where We Go From Here
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Ch 00&lt;/strong&gt; — ✅ The origin story &lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 01&lt;/strong&gt; — ✅ The world before AWS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 02&lt;/strong&gt; — ✅ Virtualization &amp;amp; Cloud Models&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 03&lt;/strong&gt; — ✅ Welcome to AWS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 04&lt;/strong&gt; — ✅ IAM: The Gatekeeper of AWS &lt;em&gt;(you are here)&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 05&lt;/strong&gt; — EC2: Your First Server in the Cloud&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 06&lt;/strong&gt; — EBS, AMI &amp;amp; Auto Scaling: The Complete Compute Picture&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 07&lt;/strong&gt; — AWS CLI: Stop Clicking, Start Typing&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 08&lt;/strong&gt; — S3: Store Anything, Forever&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 09&lt;/strong&gt; — Databases on AWS: RDS &amp;amp; DynamoDB&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 10&lt;/strong&gt; — Serverless: Lambda, SNS &amp;amp; SQS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 11&lt;/strong&gt; — Monitoring &amp;amp; Secrets: CloudWatch + Secrets Manager&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 12&lt;/strong&gt; — Networking: Route 53, CloudFront &amp;amp; VPC&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 13&lt;/strong&gt; — Infrastructure as Code: CloudFormation &amp;amp; Terraform&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 14&lt;/strong&gt; — Containers: ECS &amp;amp; EKS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 15&lt;/strong&gt; — Billing &amp;amp; Pricing: Never Get a Surprise Bill&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 16&lt;/strong&gt; — Capstone: Build a Full Stack App on AWS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 17&lt;/strong&gt; — AWS vs Azure vs GCP: An Honest Comparison&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 18&lt;/strong&gt; — What's Next: The AWS Certifications Roadmap&lt;/p&gt;




&lt;h3&gt;
  
  
  Before You Click Away.
&lt;/h3&gt;

&lt;p&gt;The building is secure. The badges are issued. The front desk is staffed.&lt;/p&gt;

&lt;p&gt;But before Pixel &amp;amp; Spoon builds anything — Aarav, Meera, and Rohit need their actual logins set up inside AWS.&lt;/p&gt;

&lt;p&gt;Ready to do it yourself, step by step?&lt;/p&gt;

&lt;p&gt;🛠️ &lt;strong&gt;Hands-on companion posts for this chapter:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;&lt;a href="https://dev.to/srsoumyax11/pixel-spoon-hands-on-creating-your-first-iam-user-2lg3"&gt;Ch 4.1 — Creating IAM Users → (Read it here)&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;&lt;a href="https://dev.to/srsoumyax11/pixel-spoon-hands-on-creating-and-managing-iam-groups-3179"&gt;Ch 4.2 — Creating and Managing IAM Groups → (Read it here)&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;&lt;a href="https://dev.to/srsoumyax11/pixel-spoon-hands-on-writing-and-attaching-iam-policies-2i62"&gt;Ch 4.3 — Writing and Attaching IAM Policies → (Read it here)&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;&lt;a href="https://dev.to/srsoumyax11/pixel-spoon-hands-on-creating-iam-roles-2a3m"&gt;Ch 4.4 — Creating IAM Roles: Human &amp;amp; Service → (Read it here)&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Once the team is set up — it's time to actually build something.&lt;/p&gt;

&lt;p&gt;Aarav has been waiting since the start of this chapter to write code &lt;br&gt;
for the ordering system. But code needs somewhere to run.&lt;/p&gt;

&lt;p&gt;In Chapter 5, we hand Aarav his first server — and you'll launch your &lt;br&gt;
very first EC2 instance right alongside him.&lt;/p&gt;

&lt;p&gt;This is the chapter where AWS stops being theory.&lt;/p&gt;

&lt;h2&gt;
  
  
  👉 &lt;strong&gt;&lt;a href="https://dev.to/srsoumyax11/ec2-your-first-server-in-the-cloud-2015"&gt;Chapter 5: EC2 — Your First Server in the Cloud → (Read it here)&lt;/a&gt;&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;&lt;em&gt;Resources I'm learning from:&lt;/em&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://roadmap.sh/aws" rel="noopener noreferrer"&gt;roadmap.sh/aws&lt;/a&gt; — my learning roadmap&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://docs.aws.amazon.com/whitepapers/latest/aws-overview/introduction.html" rel="noopener noreferrer"&gt;AWS Official Overview Whitepaper&lt;/a&gt; — straight from the source&lt;/em&gt;&lt;/li&gt;
&lt;/ul&gt;




</description>
      <category>aws</category>
      <category>cloud</category>
      <category>iam</category>
      <category>security</category>
    </item>
    <item>
      <title>Welcome to AWS: Infrastructure, Console &amp; Free Tier 🌍</title>
      <dc:creator>Soumya Ranjan 🎖️</dc:creator>
      <pubDate>Tue, 30 Jun 2026 06:49:47 +0000</pubDate>
      <link>https://dev.to/srsoumyax11/welcome-to-aws-infrastructure-console-free-tier-2909</link>
      <guid>https://dev.to/srsoumyax11/welcome-to-aws-infrastructure-console-free-tier-2909</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Chapter 3 of the AWS Learning Journey. Three chapters of context. Now we finally walk through the door.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  The Door Is Open.
&lt;/h2&gt;

&lt;p&gt;&lt;a href="https://dev.to/srsoumyax11/before-you-learn-aws-the-story-behind-the-cloud-2bed"&gt;Chapter 0&lt;/a&gt; - you understood why cloud exists.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://dev.to/srsoumyax11/the-world-before-aws-computers-servers-the-internet-3m0"&gt;Chapter 1&lt;/a&gt; - you understood why the old world broke.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://dev.to/srsoumyax11/virtualization-cloud-models-the-missing-bridge-f60"&gt;Chapter 2&lt;/a&gt; - you understood how virtualization made cloud possible.&lt;/p&gt;

&lt;p&gt;That's three chapters without touching AWS once.&lt;/p&gt;

&lt;p&gt;And that was intentional.&lt;/p&gt;

&lt;p&gt;Because most people open the AWS console on day one - see 200+ services staring back at them - and immediately feel lost.&lt;/p&gt;

&lt;p&gt;You won't feel that way.&lt;/p&gt;

&lt;p&gt;You already know what AWS is solving and how it works under the hood. Now we just need to learn the building - which floor things are on, where the entrance is, and how to not accidentally leave the lights on when you leave.&lt;/p&gt;

&lt;p&gt;Let's go in.&lt;/p&gt;




&lt;h2&gt;
  
  
  🌍 How AWS Is Built: The Global Infrastructure
&lt;/h2&gt;

&lt;p&gt;Before we log in, there's one thing worth understanding about how AWS is physically structured around the world.&lt;/p&gt;

&lt;p&gt;Because AWS isn't one data center somewhere.&lt;/p&gt;

&lt;p&gt;It's a global network - and understanding how it's organised will explain a lot of decisions you'll make later.&lt;/p&gt;




&lt;h3&gt;
  
  
  Regions 🗺️
&lt;/h3&gt;

&lt;p&gt;A &lt;strong&gt;Region&lt;/strong&gt; is a specific geographic location where AWS has built a cluster of data centers.&lt;/p&gt;

&lt;p&gt;As of 2026, AWS has 39 Regions worldwide - places like US East (Virginia), EU West (Ireland), Asia Pacific (Mumbai), and so on.&lt;/p&gt;

&lt;p&gt;When you launch a server on AWS, you choose which Region it lives in.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ftlq8wxji18794yrojseh.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ftlq8wxji18794yrojseh.png" alt="AWS global infrastructure regions map " width="800" height="433"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Why does this matter?&lt;/p&gt;

&lt;p&gt;Two reasons:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Speed&lt;/strong&gt; - The closer your server is to your users, the faster your app loads. If most of your users are in India, you'd choose the Mumbai Region, not Virginia.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Compliance&lt;/strong&gt; - Some industries and countries require data to stay within specific geographic boundaries. A European bank might be legally required to keep data inside EU Regions.&lt;/p&gt;

&lt;p&gt;Regions are completely independent of each other. If one Region has a problem, others are unaffected.&lt;/p&gt;




&lt;h3&gt;
  
  
  Availability Zones ⚡
&lt;/h3&gt;

&lt;p&gt;Inside each Region, AWS doesn't just have one data center. It has multiple - called &lt;strong&gt;Availability Zones&lt;/strong&gt; (AZs).&lt;/p&gt;

&lt;p&gt;Mumbai Region, for example, has 3 Availability Zones - three separate physical data centers, each in a different location within the city, with their own power, cooling, and networking.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;🌍 AWS Region: Asia Pacific (Mumbai)
        │
        ├── ⚡ Availability Zone 1  (ap-south-1a)
        ├── ⚡ Availability Zone 2  (ap-south-1b)
        └── ⚡ Availability Zone 3  (ap-south-1c)
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Why does this matter?&lt;/p&gt;

&lt;p&gt;If your app runs in only one AZ and that data center has a power outage - your app goes down.&lt;/p&gt;

&lt;p&gt;If your app runs across multiple AZs - one goes down, the others keep running. Your users notice nothing.&lt;/p&gt;

&lt;p&gt;This is how big companies achieve that "99.99% uptime" you see in SLAs. We'll use this concept practically when we get to EC2 and load balancers.&lt;/p&gt;




&lt;h3&gt;
  
  
  Edge Locations 🚀
&lt;/h3&gt;

&lt;p&gt;One more piece - &lt;strong&gt;Edge Locations&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;These are smaller AWS outposts spread across 400+ cities worldwide. They don't run your servers. Instead, they cache your content - images, videos, static files - closer to your users.&lt;/p&gt;

&lt;p&gt;So when someone in Chennai opens your app hosted in Mumbai, they might actually get your images delivered from an Edge Location right in their city - making it even faster.&lt;/p&gt;

&lt;p&gt;This is what AWS CloudFront uses. We'll cover it properly in Chapter 12.&lt;/p&gt;

&lt;p&gt;For now just know: Regions run your infrastructure. Edge Locations deliver your content fast.&lt;/p&gt;




&lt;h2&gt;
  
  
  🔐 Creating Your AWS Account
&lt;/h2&gt;

&lt;p&gt;Let's set up your account.&lt;/p&gt;

&lt;p&gt;Go to &lt;strong&gt;aws.amazon.com&lt;/strong&gt; and click "Create an AWS Account."&lt;/p&gt;

&lt;p&gt;You'll need:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;An email address&lt;/li&gt;
&lt;li&gt;A password&lt;/li&gt;
&lt;li&gt;A phone number (for verification)&lt;/li&gt;
&lt;li&gt;A credit / debit card / UPI (A small amount (₹2) will be deducted and also get refunded after verification.)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;That last one makes people nervous. Let's address it directly.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Why does AWS need your card if there's a free tier?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Because AWS bills you for anything you use beyond the free tier limits - automatically. Your card is the fallback. This is normal and fine.&lt;/p&gt;

&lt;p&gt;The key is knowing what the free tier includes (we'll cover that next) and setting up a billing alert (we'll do that before this chapter ends).&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fyyvl39suk49fgknv5yw1.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fyyvl39suk49fgknv5yw1.png" alt="AWS account creation signup page" width="800" height="451"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;During signup you'll be asked to choose a &lt;strong&gt;Support Plan&lt;/strong&gt;. Choose &lt;strong&gt;Basic - Free&lt;/strong&gt;. You do not need a paid support plan to learn AWS.&lt;/p&gt;




&lt;h3&gt;
  
  
  Root User vs IAM User - A Quick Note
&lt;/h3&gt;

&lt;p&gt;When you create an AWS account, the email you signed up with becomes your &lt;strong&gt;root user&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;The root user has unlimited access to everything in your account. It can delete your entire setup, change billing, close the account - no restrictions.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;This is why you almost never use it day-to-day.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;In Chapter 4, we'll create an &lt;strong&gt;IAM user&lt;/strong&gt; - a separate login with only the permissions it needs - and that's what we'll use for everything from there onwards.&lt;/p&gt;

&lt;p&gt;For now: create the account with your root email, log in once to set things up, then we'll lock it away properly in the next chapter.&lt;/p&gt;




&lt;h2&gt;
  
  
  🎁 The Free Tier - What's Actually Free
&lt;/h2&gt;

&lt;p&gt;The AWS Free Tier is real and generous. But it has three different flavours and mixing them up is how people end up confused about bills.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Always Free&lt;/strong&gt;&lt;br&gt;
These never expire, regardless of how long you've had an account.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;AWS Lambda - 1 million requests per month&lt;/li&gt;
&lt;li&gt;DynamoDB - 25GB of storage&lt;/li&gt;
&lt;li&gt;CloudWatch - basic monitoring metrics&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;strong&gt;12 Months Free&lt;/strong&gt;&lt;br&gt;
Free for your first 12 months from account creation. After that, normal pricing kicks in.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;EC2 - 750 hours/month of t2.micro or t3.micro instances&lt;/li&gt;
&lt;li&gt;S3 - 5GB of standard storage&lt;/li&gt;
&lt;li&gt;RDS - 750 hours/month of db.t2.micro or db.t3.micro instances&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;These are the big ones. Most of what we do in this series fits comfortably inside these limits.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;Free Trials&lt;/strong&gt;&lt;br&gt;
Short-term trials of specific services - usually 30 to 90 days from first use.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Amazon SageMaker - 2 months free&lt;/li&gt;
&lt;li&gt;Amazon Redshift - 2 months free&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F3ne835l2vamkn590ugex.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F3ne835l2vamkn590ugex.png" alt="AWS free tier page services list" width="800" height="1425"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The golden rule of the free tier:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Always check which category a service falls into before using it. The 12-months-free services will start charging after your first year - and t2.micro EC2 instances left running 24/7 will eat through your 750 free hours in about a month.&lt;/p&gt;

&lt;p&gt;We'll talk about this more in Chapter 15 on billing. For now - the habit to build is: know before you launch.&lt;/p&gt;




&lt;h2&gt;
  
  
  🖥️ Your First Look at the Console
&lt;/h2&gt;

&lt;p&gt;Log in at &lt;strong&gt;console.aws.amazon.com&lt;/strong&gt; with your root user for now.&lt;/p&gt;

&lt;p&gt;Here's what you're looking at:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The top navigation bar&lt;/strong&gt;&lt;br&gt;
On the left - the AWS logo and a services menu. In the middle - a search bar (use this constantly, it's the fastest way to find anything). On the right - your account name, Region selector, and support.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The Region selector&lt;/strong&gt; is in the top right corner - it shows something like "ap-south-1" or "us-east-1". This tells you which Region you're currently working in. Always check this before launching anything. Many beginners launch resources in the wrong region and spend time wondering why they can't find them.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The services menu&lt;/strong&gt;&lt;br&gt;
Click the grid icon or search for any service by name. AWS organises services into categories - Compute, Storage, Database, Networking, Security, and so on. As the series progresses, you'll naturally learn which category each service lives in.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The home dashboard&lt;/strong&gt;&lt;br&gt;
You can customise this with shortcuts to services you use frequently. For now it's mostly empty - and that's fine.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fj1tyh971ea8km407u6t7.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fj1tyh971ea8km407u6t7.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Don't try to explore everything right now. The console only makes sense in context - and we'll build that context one service at a time starting from Chapter 4.&lt;/p&gt;




&lt;h2&gt;
  
  
  🚨 Do This Before Anything Else: Set a Billing Alert
&lt;/h2&gt;

&lt;p&gt;This takes 5 minutes and will save you from ever getting a surprise bill.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 1&lt;/strong&gt; - In the console search bar, type &lt;code&gt;Billing&lt;/code&gt; and open Billing and Cost Management.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fwmcj7wl6vrv49lnpp1qb.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fwmcj7wl6vrv49lnpp1qb.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 2&lt;/strong&gt; - In the left menu, click &lt;code&gt;Budgets&lt;/code&gt; then &lt;code&gt;Create budget&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ftghlbpkd9ng89ngbq9on.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ftghlbpkd9ng89ngbq9on.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 3&lt;/strong&gt; - Choose &lt;code&gt;Use a template&lt;/code&gt; → &lt;code&gt;Zero spend budget&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;This will send you an email the moment your account is charged anything beyond the free tier. Even $0.01.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fovhakyt505snhfvnreiq.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fovhakyt505snhfvnreiq.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 4&lt;/strong&gt; - Enter your email address (separated by comma if you want multiple recipients) and create the budget.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fxrjwh04tz9ybdtvgnui2.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fxrjwh04tz9ybdtvgnui2.png" alt="alt text" width="800" height="450"&gt;&lt;/a&gt;&lt;br&gt;
Done. You now have an early warning system. Go explore without fear.&lt;/p&gt;




&lt;h2&gt;
  
  
  🗺️ Where We Go From Here
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Ch 00&lt;/strong&gt; - ✅ The origin story&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 01&lt;/strong&gt; - ✅ The world before AWS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 02&lt;/strong&gt; - ✅ Virtualization &amp;amp; Cloud Models&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 03&lt;/strong&gt; - ✅ Welcome to AWS &lt;em&gt;(you are here)&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 04&lt;/strong&gt; - IAM: The Gatekeeper of AWS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 05&lt;/strong&gt; - EC2: Your First Server in the Cloud&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 06&lt;/strong&gt; - EBS, AMI &amp;amp; Auto Scaling: The Complete Compute Picture&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 07&lt;/strong&gt; - AWS CLI: Stop Clicking, Start Typing&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 08&lt;/strong&gt; - S3: Store Anything, Forever&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 09&lt;/strong&gt; - Databases on AWS: RDS &amp;amp; DynamoDB&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 10&lt;/strong&gt; - Serverless: Lambda, SNS &amp;amp; SQS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 11&lt;/strong&gt; - Monitoring &amp;amp; Secrets: CloudWatch + Secrets Manager&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 12&lt;/strong&gt; - Networking: Route 53, CloudFront &amp;amp; VPC&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 13&lt;/strong&gt; - Infrastructure as Code: CloudFormation &amp;amp; Terraform&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 14&lt;/strong&gt; - Containers: ECS &amp;amp; EKS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 15&lt;/strong&gt; - Billing &amp;amp; Pricing: Never Get a Surprise Bill&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 16&lt;/strong&gt; - Capstone: Build a Full Stack App on AWS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 17&lt;/strong&gt; - AWS vs Azure vs GCP: An Honest Comparison&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 18&lt;/strong&gt; - What's Next: The AWS Certifications Roadmap&lt;/p&gt;




&lt;h3&gt;
  
  
  Before You Click Away.
&lt;/h3&gt;

&lt;p&gt;Your account is set up. The console is no longer a mystery. Your billing alert is live.&lt;/p&gt;

&lt;p&gt;But right now - your AWS account is wide open.&lt;/p&gt;

&lt;p&gt;One login. Full access to everything. No guardrails.&lt;/p&gt;

&lt;p&gt;That changes in Chapter 4.&lt;/p&gt;

&lt;p&gt;IAM is the first thing every AWS professional sets up before touching any service - because it controls &lt;em&gt;who&lt;/em&gt; can do &lt;em&gt;what&lt;/em&gt; inside your account. Get this wrong and your account can be compromised, your resources deleted, or your bill run up by someone else entirely.&lt;/p&gt;

&lt;p&gt;It's also the chapter that separates beginners who click around from professionals who build securely.&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;&lt;a href="https://dev.to/srsoumyax11/iam-the-gatekeeper-of-aws-111b"&gt;Chapter 4: IAM - The Gatekeeper of AWS → (Read it here)&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Resources I'm learning from:&lt;/em&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://roadmap.sh/aws" rel="noopener noreferrer"&gt;roadmap.sh/aws&lt;/a&gt; - my learning roadmap&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://docs.aws.amazon.com/whitepapers/latest/aws-overview/introduction.html" rel="noopener noreferrer"&gt;AWS Official Overview Whitepaper&lt;/a&gt; - straight from the source&lt;/em&gt;&lt;/li&gt;
&lt;/ul&gt;




</description>
      <category>aws</category>
      <category>cloud</category>
      <category>awsaccount</category>
      <category>freetier</category>
    </item>
    <item>
      <title>Virtualization &amp; Cloud Models: The Missing Bridge 🌉</title>
      <dc:creator>Soumya Ranjan 🎖️</dc:creator>
      <pubDate>Sun, 28 Jun 2026 10:01:51 +0000</pubDate>
      <link>https://dev.to/srsoumyax11/virtualization-cloud-models-the-missing-bridge-f60</link>
      <guid>https://dev.to/srsoumyax11/virtualization-cloud-models-the-missing-bridge-f60</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Chapter 2 of the AWS Learning Journey. We promised you pure AWS from here. But before we get there — there's one idea that makes everything else make sense. This is it.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  Something We Never Explained.
&lt;/h2&gt;

&lt;p&gt;In Chapter 1, we left you with a broken world.&lt;/p&gt;

&lt;p&gt;Expensive servers. Slow scaling. Your problem to maintain.&lt;/p&gt;

&lt;p&gt;And then we said — AWS fixed it.&lt;/p&gt;

&lt;p&gt;But we skipped something important.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;How does a company like AWS take physical machines sitting in a building somewhere and turn them into something thousands of companies can rent, by the hour, on demand?&lt;/p&gt;

&lt;p&gt;The answer isn't magic. It isn't even that complicated once someone explains it properly.&lt;/p&gt;

&lt;p&gt;It's called &lt;strong&gt;virtualization&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;And it's the idea that made cloud computing physically possible.&lt;/p&gt;




&lt;h2&gt;
  
  
  🖥️ Let's Start With a Problem
&lt;/h2&gt;

&lt;p&gt;Cast your mind back to a data center in 2001.&lt;/p&gt;

&lt;p&gt;A company buys a powerful server. It has 32 cores, 256GB of RAM, and terabytes of storage.&lt;/p&gt;

&lt;p&gt;They run one application on it.&lt;/p&gt;

&lt;p&gt;That application uses maybe 10% of the server's power at any given time.&lt;/p&gt;

&lt;p&gt;The other 90%?&lt;/p&gt;

&lt;p&gt;Just sitting there. Idle. Wasted.&lt;/p&gt;

&lt;p&gt;Now multiply that across hundreds of servers in a data center.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;🖥️  Server 1   →   Running App A   →   Using 10% capacity
🖥️  Server 2   →   Running App B   →   Using 15% capacity
🖥️  Server 3   →   Running App C   →   Using 8% capacity
🖥️  Server 4   →   Running App D   →   Using 20% capacity

💸  Combined waste: ~75% of total computing power
    sitting idle every single day
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Someone, somewhere looked at this and asked a very sensible question.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;What if one physical machine could pretend to be many machines?&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  💡 The Big Idea: One Machine, Many Lives
&lt;/h2&gt;

&lt;p&gt;Here's the concept that changed everything.&lt;/p&gt;

&lt;p&gt;What if you could take that one powerful server and divide it into multiple &lt;strong&gt;virtual machines&lt;/strong&gt; — each one behaving exactly like a separate, independent computer?&lt;/p&gt;

&lt;p&gt;Each virtual machine gets its own slice of the CPU, its own slice of RAM, its own storage. It runs its own operating system. It doesn't know — or care — that other virtual machines exist on the same physical hardware.&lt;/p&gt;

&lt;p&gt;From the outside, it looks and feels like a real, dedicated server.&lt;/p&gt;

&lt;p&gt;But underneath, it's sharing physical resources with several others.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fjf8hjtpbay16nvufutjx.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fjf8hjtpbay16nvufutjx.png" alt="virtualization" width="800" height="533"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This is &lt;strong&gt;virtualization&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;And suddenly, that server running at 10% capacity?&lt;/p&gt;

&lt;p&gt;Now it's running 8 virtual machines, each at around 10% — utilising nearly the full machine.&lt;/p&gt;

&lt;p&gt;No wasted power. No wasted money.&lt;/p&gt;




&lt;h2&gt;
  
  
  ⚙️ What Makes This Possible: The Hypervisor
&lt;/h2&gt;

&lt;p&gt;You're probably wondering — what actually does the dividing?&lt;/p&gt;

&lt;p&gt;Meet the &lt;strong&gt;hypervisor&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;A hypervisor is a piece of software that sits between the physical hardware and the virtual machines. Its entire job is to manage and allocate resources — making sure each virtual machine gets its slice and stays in its lane.&lt;/p&gt;

&lt;p&gt;There are two types, and they're worth knowing.&lt;/p&gt;




&lt;h3&gt;
  
  
  Type 1 — Bare Metal Hypervisor
&lt;/h3&gt;

&lt;p&gt;This one runs &lt;strong&gt;directly on the hardware&lt;/strong&gt;. No operating system in between.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;⚙️  Physical Hardware
        ↓
🔧  Hypervisor (Type 1 — runs directly on hardware)
        ↓
🖥️ VM1   🖥️ VM2   🖥️ VM3
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Faster. More efficient. Used in enterprise data centers and — importantly — by AWS.&lt;/p&gt;

&lt;p&gt;Examples: VMware ESXi, Microsoft Hyper-V, Xen (which AWS used for years)&lt;/p&gt;




&lt;h3&gt;
  
  
  Type 2 — Hosted Hypervisor
&lt;/h3&gt;

&lt;p&gt;This one runs &lt;strong&gt;on top of an existing operating system&lt;/strong&gt; — like an app you install.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;⚙️  Physical Hardware
        ↓
💻  Host Operating System (Windows / macOS / Linux)
        ↓
🔧  Hypervisor (Type 2 — runs as an application)
        ↓
🖥️ VM1   🖥️ VM2
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Slower than Type 1 but easier to set up. Used mostly for development and testing on personal machines.&lt;/p&gt;

&lt;p&gt;Examples: VirtualBox, VMware Workstation&lt;/p&gt;




&lt;p&gt;The distinction matters for one reason: &lt;strong&gt;AWS uses Type 1&lt;/strong&gt;. When you launch an EC2 instance later in this series, you're getting a virtual machine created and managed by a bare-metal hypervisor running on AWS's physical hardware. Now you know what's actually happening underneath.&lt;/p&gt;




&lt;h2&gt;
  
  
  ☁️ From Virtualization to Cloud Computing
&lt;/h2&gt;

&lt;p&gt;Once virtualization existed, the leap to cloud computing was logical.&lt;/p&gt;

&lt;p&gt;If you can divide one physical server into many virtual ones — why not build a massive warehouse of physical servers, virtualise all of them, and rent out those virtual machines to anyone who needs one?&lt;/p&gt;

&lt;p&gt;Need a server for your app? You get a virtual machine.&lt;br&gt;
Need it for an hour? Pay for an hour.&lt;br&gt;
Need 100 of them for a traffic spike? Spin up 100.&lt;br&gt;
Traffic drops? Shut them down. Stop paying.&lt;/p&gt;

&lt;p&gt;That's cloud computing. Virtualization at massive scale, made available over the internet.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;🏭  AWS Data Center (thousands of physical servers)
              ↓
🔧  Hypervisors running on every machine
              ↓
☁️  Pool of virtual machines available on demand
              ↓
🧑‍💻  You log in and rent exactly what you need
              ↓
💳  Pay only for what you use
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Simple in concept. Extraordinary in execution.&lt;/p&gt;




&lt;h2&gt;
  
  
  📦 But What Exactly Are You Renting?
&lt;/h2&gt;

&lt;p&gt;Here's where it gets interesting — because "cloud computing" isn't one thing.&lt;/p&gt;

&lt;p&gt;Depending on how much control you want (and how much responsibility you're willing to take on), you can rent different &lt;em&gt;levels&lt;/em&gt; of the stack.&lt;/p&gt;

&lt;p&gt;This is where &lt;strong&gt;IaaS, PaaS, and SaaS&lt;/strong&gt; come in.&lt;/p&gt;

&lt;p&gt;Don't let the acronyms scare you. The idea is simple.&lt;/p&gt;




&lt;h3&gt;
  
  
  🏗️ IaaS — Infrastructure as a Service
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;You get:&lt;/strong&gt; Virtual machines, storage, networking.&lt;br&gt;
&lt;strong&gt;You manage:&lt;/strong&gt; Operating system, runtime, apps, data.&lt;br&gt;
&lt;strong&gt;AWS example:&lt;/strong&gt; EC2&lt;/p&gt;

&lt;p&gt;Think of it like renting an empty plot of land. The foundation is there. You build everything else yourself.&lt;/p&gt;

&lt;p&gt;Maximum control. Maximum responsibility.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;AWS manages  →  Physical hardware, hypervisor, networking
You manage   →  OS, runtime, code, data, security config
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This is where most of your AWS learning will live. EC2 is IaaS.&lt;/p&gt;




&lt;h3&gt;
  
  
  🧱 PaaS — Platform as a Service
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;You get:&lt;/strong&gt; A ready-made environment to deploy your code.&lt;br&gt;
&lt;strong&gt;You manage:&lt;/strong&gt; Your application and data only.&lt;br&gt;
&lt;strong&gt;AWS example:&lt;/strong&gt; AWS Elastic Beanstalk, AWS Lambda (partially)&lt;/p&gt;

&lt;p&gt;Think of it like renting a fully furnished apartment. The infrastructure is handled. You just move in and live.&lt;/p&gt;

&lt;p&gt;Less control. Less responsibility. Faster to deploy.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;AWS manages  →  Hardware, OS, runtime, scaling, patching
You manage   →  Your code and your data
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h3&gt;
  
  
  📱 SaaS — Software as a Service
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;You get:&lt;/strong&gt; A fully working application.&lt;br&gt;
&lt;strong&gt;You manage:&lt;/strong&gt; Nothing technical — just use it.&lt;br&gt;
&lt;strong&gt;Examples:&lt;/strong&gt; Gmail, Dropbox, Slack, Zoom&lt;/p&gt;

&lt;p&gt;Think of it like staying in a hotel. Everything is done for you. You just show up.&lt;/p&gt;

&lt;p&gt;No control over infrastructure at all. Not really an AWS category — but understanding it completes the picture.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Provider manages  →  Everything
You manage        →  Your account and your data
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h3&gt;
  
  
  The Full Picture Side by Side
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;                IaaS        PaaS        SaaS
Hardware         AWS         AWS         AWS
Networking       AWS         AWS         AWS
Hypervisor       AWS         AWS         AWS
OS               YOU         AWS         AWS
Runtime          YOU         AWS         AWS
Code             YOU         YOU         AWS
Data             YOU         YOU         YOU
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The further right you go — the less you manage, but also the less flexibility you have.&lt;/p&gt;

&lt;p&gt;Most of this series lives in &lt;strong&gt;IaaS territory&lt;/strong&gt; — because that's where AWS services like EC2, S3, VPC, and RDS sit.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fu0pcvfjq9973ws3tdnuq.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fu0pcvfjq9973ws3tdnuq.png" alt="IaaS PaaS SaaS comparison diagram cloud computing" width="800" height="638"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  🧩 Why This Chapter Existed
&lt;/h2&gt;

&lt;p&gt;We could have started Chapter 3 with "open the AWS console and create an account."&lt;/p&gt;

&lt;p&gt;But then when you launch an EC2 instance and AWS gives you a virtual machine — you'd be clicking buttons without knowing what you're actually getting.&lt;/p&gt;

&lt;p&gt;Now you know.&lt;/p&gt;

&lt;p&gt;When AWS gives you an EC2 instance — you're getting a &lt;strong&gt;virtual machine&lt;/strong&gt;, created by a &lt;strong&gt;Type 1 hypervisor&lt;/strong&gt;, running on physical hardware inside an &lt;strong&gt;AWS data center&lt;/strong&gt;, available to you as &lt;strong&gt;IaaS&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;That one sentence will make EC2 feel completely natural when we get there.&lt;/p&gt;




&lt;h2&gt;
  
  
  🗺️ Where We Go From Here
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Ch 00&lt;/strong&gt; — ✅ The origin story&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 01&lt;/strong&gt; — ✅ The world before AWS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 02&lt;/strong&gt; — ✅ Virtualization &amp;amp; Cloud Models &lt;em&gt;(you are here)&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 03&lt;/strong&gt; — Welcome to AWS: Infrastructure, Console &amp;amp; Free Tier&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 04&lt;/strong&gt; — IAM: The Gatekeeper of AWS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 05&lt;/strong&gt; — EC2: Your First Server in the Cloud&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 06&lt;/strong&gt; — EBS, AMI &amp;amp; Auto Scaling: The Complete Compute Picture&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 07&lt;/strong&gt; — AWS CLI: Stop Clicking, Start Typing&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 08&lt;/strong&gt; — S3: Store Anything, Forever&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 09&lt;/strong&gt; — Databases on AWS: RDS &amp;amp; DynamoDB&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 10&lt;/strong&gt; — Serverless: Lambda, SNS &amp;amp; SQS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 11&lt;/strong&gt; — Monitoring &amp;amp; Secrets: CloudWatch + Secrets Manager&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 12&lt;/strong&gt; — Networking: Route 53, CloudFront &amp;amp; VPC&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 13&lt;/strong&gt; — Infrastructure as Code: CloudFormation &amp;amp; Terraform&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 14&lt;/strong&gt; — Containers: ECS &amp;amp; EKS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 15&lt;/strong&gt; — Billing &amp;amp; Pricing: Never Get a Surprise Bill&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 16&lt;/strong&gt; — Capstone: Build a Full Stack App on AWS&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 17&lt;/strong&gt; — AWS vs Azure vs GCP: An Honest Comparison&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 18&lt;/strong&gt; — What's Next: The AWS Certifications Roadmap&lt;/p&gt;




&lt;h3&gt;
  
  
  Before You Go.
&lt;/h3&gt;

&lt;p&gt;The backstory is fully done now.&lt;/p&gt;

&lt;p&gt;Three chapters in — you understand &lt;em&gt;why&lt;/em&gt; cloud exists, &lt;em&gt;why&lt;/em&gt; the old world broke, and &lt;em&gt;how&lt;/em&gt; virtualization made the cloud technically possible.&lt;/p&gt;

&lt;p&gt;Chapter 3 is where we finally walk through the door.&lt;/p&gt;

&lt;p&gt;We'll look at how AWS is structured globally, what the console looks like, and — crucially — how to set up your account without accidentally paying for anything.&lt;/p&gt;

&lt;p&gt;Yes, that last part matters.&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;&lt;a href="https://dev.to/srsoumyax11/welcome-to-aws-infrastructure-console-free-tier-2909"&gt;Chapter 3: Welcome to AWS → (Read it here)&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Resources I'm learning from:&lt;/em&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://roadmap.sh/aws" rel="noopener noreferrer"&gt;roadmap.sh/aws&lt;/a&gt; — my learning roadmap&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://docs.aws.amazon.com/whitepapers/latest/aws-overview/introduction.html" rel="noopener noreferrer"&gt;AWS Official Overview Whitepaper&lt;/a&gt; — straight from the source&lt;/em&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;#aws #cloud #beginners #devjourney #learnaws&lt;/em&gt;&lt;/p&gt;

</description>
      <category>aws</category>
      <category>cloud</category>
      <category>virtualmachine</category>
    </item>
    <item>
      <title>The World Before AWS: Computers, Servers &amp; The Internet ⚡</title>
      <dc:creator>Soumya Ranjan 🎖️</dc:creator>
      <pubDate>Sat, 27 Jun 2026 06:21:56 +0000</pubDate>
      <link>https://dev.to/srsoumyax11/the-world-before-aws-computers-servers-the-internet-3m0</link>
      <guid>https://dev.to/srsoumyax11/the-world-before-aws-computers-servers-the-internet-3m0</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;Chapter 1 of the AWS Learning Journey. No fluff. Just the story of how the old world broke — and why AWS was the only way out.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  You Already Know the Ending.
&lt;/h2&gt;

&lt;p&gt;In &lt;a href="https://dev.to/srsoumyax11/before-you-learn-aws-the-story-behind-the-cloud-2bed"&gt;Chapter 0&lt;/a&gt;, we saw what AWS can do.&lt;/p&gt;

&lt;p&gt;15 minutes. One browser. Your app is live, scalable, and ready for a million users.&lt;/p&gt;

&lt;p&gt;But here's what we didn't talk about.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How did we get there?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Because AWS didn't appear out of nowhere. It was built to solve real, painful, expensive problems that broke real companies.&lt;/p&gt;

&lt;p&gt;And to understand those problems — you need to understand the world that existed before AWS was even an idea.&lt;/p&gt;

&lt;p&gt;This is that story.&lt;/p&gt;




&lt;h2&gt;
  
  
  🖥️ What Is a Computer, Really?
&lt;/h2&gt;

&lt;p&gt;Let's not overthink this.&lt;/p&gt;

&lt;p&gt;A computer is a machine that takes input, processes it, and gives you output.&lt;/p&gt;

&lt;p&gt;You type a message → it processes → the message appears on screen.&lt;br&gt;
You click "pay" → it processes → your order goes through.&lt;br&gt;
Someone opens your app → it processes → they see your homepage.&lt;/p&gt;

&lt;p&gt;That last one is the important one.&lt;/p&gt;

&lt;p&gt;Every single thing that happens in software — every click, every login, every video that loads — is a computer somewhere doing its job.&lt;/p&gt;

&lt;p&gt;Your laptop is a computer. Your phone is a computer. And the thing that runs your app when someone halfway across the world opens it?&lt;/p&gt;

&lt;p&gt;Also a computer.&lt;/p&gt;

&lt;p&gt;Just a very different kind.&lt;/p&gt;


&lt;h2&gt;
  
  
  🗄️ So What's a Server?
&lt;/h2&gt;

&lt;p&gt;Here's where most explanations get confusing. They don't need to be.&lt;/p&gt;

&lt;p&gt;A server is just a computer with one job.&lt;/p&gt;

&lt;p&gt;Your laptop does many things — you browse, you code, you watch videos, you close the lid and walk away. A server does &lt;em&gt;one&lt;/em&gt; thing: it sits in a room, stays on 24/7, and responds to requests from other computers.&lt;/p&gt;

&lt;p&gt;When you open Instagram, your phone sends a request to Instagram's servers. The server processes it and sends back your feed. That entire conversation happens in under a second.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fwz27v5t3vy32wkm1zh3d.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fwz27v5t3vy32wkm1zh3d.png" alt="what is a server vs computer comparison" width="799" height="436"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Your laptop could technically act as a server. But imagine leaving your laptop on 24/7, never closing it, handling thousands of requests per second, and keeping it connected to a fast internet line at all times.&lt;/p&gt;

&lt;p&gt;That's not realistic. That's why servers exist — purpose-built machines designed for exactly that job.&lt;/p&gt;


&lt;h2&gt;
  
  
  🌐 How Does the Internet Fit In?
&lt;/h2&gt;

&lt;p&gt;Think of the internet as a massive postal system.&lt;/p&gt;

&lt;p&gt;Every device connected to it has an address — an IP address. When you open an app, your device sends a tiny letter to the server's address saying &lt;em&gt;"hey, give me this page."&lt;/em&gt; The server reads it, prepares the response, and sends it back to your address.&lt;/p&gt;

&lt;p&gt;This all happens through physical cables, undersea fibre lines, and wireless towers — infrastructure that spans the entire planet.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fgxq1bb3wwn3465et43bc.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fgxq1bb3wwn3465et43bc.png" alt="undersea internet cable" width="800" height="400"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The internet isn't magic. It's pipes. Very fast, very global pipes.&lt;/p&gt;

&lt;p&gt;And your server needs to be connected to those pipes — with a fast, stable, always-on connection — for your app to work for anyone outside your house.&lt;/p&gt;


&lt;h2&gt;
  
  
  🏢 Enter the Data Center
&lt;/h2&gt;

&lt;p&gt;So companies needed servers. And servers needed:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Stable electricity (24/7, no cuts)&lt;/li&gt;
&lt;li&gt;Cooling systems (servers generate enormous heat)&lt;/li&gt;
&lt;li&gt;Fast internet connections&lt;/li&gt;
&lt;li&gt;Physical security&lt;/li&gt;
&lt;li&gt;People to maintain them&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;You can't just put a server in your bedroom. So companies built &lt;strong&gt;data centers&lt;/strong&gt; — dedicated buildings designed specifically to house and run servers at scale.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;🏢 A Data Center is basically:

⚡ Uninterrupted power supply
❄️  Industrial cooling systems
🔌  High-speed internet lines
🔒  Physical security
👨‍🔧  On-site engineers, 24/7
🖥️  Row after row after row of servers
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Big companies like banks, airlines, and retail chains built their own. Smaller companies rented space inside someone else's.&lt;/p&gt;

&lt;p&gt;Either way — it was expensive. It was slow to set up. And it came with a problem that nobody had really solved yet.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fqrgn0739d4f4y9hnzi61.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fqrgn0739d4f4y9hnzi61.png" alt="data center interior with rows of servers" width="800" height="534"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  💥 The Three Problems Nobody Could Fix
&lt;/h2&gt;

&lt;p&gt;This is the part we promised you.&lt;/p&gt;

&lt;p&gt;The old world wasn't just inconvenient. It was fundamentally broken in three ways.&lt;/p&gt;




&lt;h3&gt;
  
  
  Problem 1 — It Was Slow to Scale 🐢
&lt;/h3&gt;

&lt;p&gt;Your app gets popular overnight. You need more servers.&lt;/p&gt;

&lt;p&gt;But servers don't appear instantly. You order them, wait weeks for delivery, physically install them, configure them, test them.&lt;/p&gt;

&lt;p&gt;By the time you're ready — the moment is gone.&lt;/p&gt;

&lt;p&gt;And scaling &lt;em&gt;down&lt;/em&gt; was just as painful. You bought 20 servers for a big product launch. The launch ends. Now 15 servers sit idle, burning electricity, collecting dust, still costing you money every single month.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;📈 Traffic spikes     →   😤 Can't scale fast enough
📉 Traffic drops      →   💸 Still paying for unused servers
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;There was no in-between. No flexibility. Just waste.&lt;/p&gt;




&lt;h3&gt;
  
  
  Problem 2 — It Was Brutally Expensive 💰
&lt;/h3&gt;

&lt;p&gt;Let's talk numbers — even rough ones.&lt;/p&gt;

&lt;p&gt;One decent server in the early 2000s: &lt;strong&gt;$3,000–$5,000&lt;/strong&gt;&lt;br&gt;
Data center space rental per month: &lt;strong&gt;$300–$1,400+&lt;/strong&gt;&lt;br&gt;
Internet connectivity: &lt;strong&gt;$800+/month&lt;/strong&gt;&lt;br&gt;
IT staff to run it all: &lt;strong&gt;$30,000–$80,000/year per person&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;And this was just to &lt;em&gt;start&lt;/em&gt;.&lt;/p&gt;

&lt;p&gt;Most startups couldn't afford this. Which meant most ideas never became products. Not because the idea was bad — but because the infrastructure cost killed it before it could breathe.&lt;/p&gt;




&lt;h3&gt;
  
  
  Problem 3 — It Was Your Problem to Maintain 🔧
&lt;/h3&gt;

&lt;p&gt;When a server crashes at 3am — that's your problem.&lt;/p&gt;

&lt;p&gt;When a hard drive fails — that's your problem.&lt;/p&gt;

&lt;p&gt;When you need to update the operating system across 50 machines — that's your problem.&lt;/p&gt;

&lt;p&gt;Companies were spending enormous amounts of time and money just &lt;em&gt;keeping the lights on&lt;/em&gt;. Engineers who should have been building products were instead babysitting hardware.&lt;/p&gt;

&lt;p&gt;The actual work — the software, the features, the product — always came second.&lt;/p&gt;




&lt;h2&gt;
  
  
  🌩️ The Breaking Point
&lt;/h2&gt;

&lt;p&gt;By the mid-2000s, the internet was exploding.&lt;/p&gt;

&lt;p&gt;More people online. More apps. More traffic. More demand for servers than ever before.&lt;/p&gt;

&lt;p&gt;And the old model simply couldn't keep up.&lt;/p&gt;

&lt;p&gt;Startups were dying not because they had bad products — but because they couldn't afford the infrastructure to run them. Big companies were drowning in maintenance costs. Everyone was over-provisioning, over-spending, and under-delivering.&lt;/p&gt;

&lt;p&gt;Something had to give.&lt;/p&gt;

&lt;p&gt;And quietly, inside a company that was best known for selling books online — a different approach was taking shape.&lt;/p&gt;




&lt;h2&gt;
  
  
  ☁️ The Shift That Changed Everything
&lt;/h2&gt;

&lt;p&gt;Amazon had been dealing with all three of these problems internally for years.&lt;/p&gt;

&lt;p&gt;They'd built powerful infrastructure to run Amazon.com — and in doing so, they got exceptionally good at it. Then they had a thought:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;What if we let other companies use this infrastructure too?&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Rent it out. By the hour. Scale it up or down on demand. No hardware to buy. No data centers to manage. Just computing power, available instantly, over the internet.&lt;/p&gt;

&lt;p&gt;Pay for what you use. Stop paying when you don't.&lt;/p&gt;

&lt;p&gt;That idea became &lt;strong&gt;Amazon Web Services&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;And starting in 2006, the three problems that had broken the old world started to have answers.&lt;/p&gt;




&lt;h2&gt;
  
  
  🗺️ Where We Go From Here
&lt;/h2&gt;

&lt;p&gt;Chapter 1 is done. The painful backstory is behind us.&lt;/p&gt;

&lt;p&gt;Here's where we stand:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 00&lt;/strong&gt; — ✅ The origin story&lt;br&gt;
&lt;strong&gt;Ch 01&lt;/strong&gt; — ✅ The world before AWS &lt;em&gt;(you are here)&lt;/em&gt;&lt;br&gt;
&lt;strong&gt;Ch 02&lt;/strong&gt; — Virtualization &amp;amp; Cloud Models: The Missing Bridge&lt;br&gt;
&lt;strong&gt;Ch 03&lt;/strong&gt; — Welcome to AWS: Infrastructure, Console &amp;amp; Free Tier&lt;br&gt;
&lt;strong&gt;Ch 04&lt;/strong&gt; — IAM: The Gatekeeper of AWS&lt;br&gt;
&lt;strong&gt;Ch 05&lt;/strong&gt; — EC2: Your First Server in the Cloud&lt;br&gt;
&lt;strong&gt;Ch 06&lt;/strong&gt; — EBS, AMI &amp;amp; Auto Scaling: The Complete Compute Picture&lt;br&gt;
&lt;strong&gt;Ch 07&lt;/strong&gt; — AWS CLI: Stop Clicking, Start Typing&lt;br&gt;
&lt;strong&gt;Ch 08&lt;/strong&gt; — S3: Store Anything, Forever&lt;br&gt;
&lt;strong&gt;Ch 09&lt;/strong&gt; — Databases on AWS: RDS &amp;amp; DynamoDB&lt;br&gt;
&lt;strong&gt;Ch 10&lt;/strong&gt; — Serverless: Lambda, SNS &amp;amp; SQS&lt;br&gt;
&lt;strong&gt;Ch 11&lt;/strong&gt; — Monitoring &amp;amp; Secrets: CloudWatch + Secrets Manager&lt;br&gt;
&lt;strong&gt;Ch 12&lt;/strong&gt; — Networking: Route 53, CloudFront &amp;amp; VPC&lt;br&gt;
&lt;strong&gt;Ch 13&lt;/strong&gt; — Infrastructure as Code: CloudFormation &amp;amp; Terraform&lt;br&gt;
&lt;strong&gt;Ch 14&lt;/strong&gt; — Containers: ECS &amp;amp; EKS&lt;br&gt;
&lt;strong&gt;Ch 15&lt;/strong&gt; — Billing &amp;amp; Pricing: Never Get a Surprise Bill&lt;br&gt;
&lt;strong&gt;Ch 16&lt;/strong&gt; — Capstone: Build a Full Stack App on AWS&lt;br&gt;
&lt;strong&gt;Ch 17&lt;/strong&gt; — AWS vs Azure vs GCP: An Honest Comparison&lt;br&gt;
&lt;strong&gt;Ch 18&lt;/strong&gt; — What's Next: The AWS Certifications Roadmap&lt;/p&gt;

&lt;p&gt;From the next chapter — it's pure AWS. No more backstory. No more history.&lt;/p&gt;

&lt;p&gt;Just the actual services, why they exist, and how to use them.&lt;/p&gt;




&lt;h3&gt;
  
  
  One Thing Before You Click Away.
&lt;/h3&gt;

&lt;p&gt;You've just seen why the old world broke.&lt;/p&gt;

&lt;p&gt;Chapter 2 is the bridge between that broken world and AWS — the technical idea that made cloud computing &lt;em&gt;physically possible&lt;/em&gt; in the first place.&lt;/p&gt;

&lt;p&gt;It's called virtualization. And once you understand it, EC2 will make complete sense before you even launch your first instance.&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;&lt;a href="https://dev.to/srsoumyax11/virtualization-cloud-models-the-missing-bridge-f60"&gt;Chapter 2: Virtualization &amp;amp; Cloud Models → (Read it here)&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Resources I'm learning from:&lt;/em&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://roadmap.sh/aws" rel="noopener noreferrer"&gt;roadmap.sh/aws&lt;/a&gt; — my learning roadmap&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://docs.aws.amazon.com/whitepapers/latest/aws-overview/introduction.html" rel="noopener noreferrer"&gt;AWS Official Overview Whitepaper&lt;/a&gt; — straight from the source&lt;/em&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;#aws #cloud #beginners #devjourney #learnaws&lt;/em&gt;&lt;/p&gt;

</description>
      <category>aws</category>
      <category>cloud</category>
      <category>computerscience</category>
    </item>
    <item>
      <title>Before You Learn AWS: The Story Behind the Cloud ☁️</title>
      <dc:creator>Soumya Ranjan 🎖️</dc:creator>
      <pubDate>Fri, 26 Jun 2026 12:50:20 +0000</pubDate>
      <link>https://dev.to/srsoumyax11/before-you-learn-aws-the-story-behind-the-cloud-2bed</link>
      <guid>https://dev.to/srsoumyax11/before-you-learn-aws-the-story-behind-the-cloud-2bed</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;This is Chapter 0 of my AWS Learning Journey series. No AWS jargon. No confusing diagrams. Just a story — and by the end of it, you'll understand why the cloud exists.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  Let me ask you something first.
&lt;/h2&gt;

&lt;p&gt;Imagine you wake up one morning with an idea.&lt;/p&gt;

&lt;p&gt;Not just any idea. &lt;strong&gt;The&lt;/strong&gt; idea.&lt;/p&gt;

&lt;p&gt;You want to build an app. Something like Instagram, but for local food lovers. People post their home-cooked meals. Others can order from them. A community kitchen — in an app.&lt;/p&gt;

&lt;p&gt;You're excited. You open your laptop. You start writing code.&lt;/p&gt;

&lt;p&gt;Days pass. Weeks pass.&lt;/p&gt;

&lt;p&gt;And then one morning — it's done. The app works. It looks beautiful. Your friends love it.&lt;/p&gt;

&lt;p&gt;You're about to launch.&lt;/p&gt;

&lt;p&gt;And then someone asks you a question you didn't expect.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;"Where is this app going to &lt;em&gt;run&lt;/em&gt;?"&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;You pause.&lt;/p&gt;

&lt;p&gt;You stare at your screen.&lt;/p&gt;

&lt;p&gt;And slowly, you realise...&lt;/p&gt;

&lt;p&gt;Writing the app was only &lt;em&gt;half&lt;/em&gt; the battle.&lt;/p&gt;




&lt;h2&gt;
  
  
  🖥️ It Has to Live Somewhere
&lt;/h2&gt;

&lt;p&gt;Here's something most tutorials skip.&lt;/p&gt;

&lt;p&gt;Software doesn't just exist in the air. It runs on &lt;strong&gt;physical machines&lt;/strong&gt; — computers with processors, memory, storage, and power.&lt;/p&gt;

&lt;p&gt;Your laptop? That's a machine.&lt;br&gt;
Your phone? That's a machine.&lt;br&gt;
Google's search engine? That's running on &lt;em&gt;millions&lt;/em&gt; of machines.&lt;/p&gt;

&lt;p&gt;When someone opens your app, their phone sends a request somewhere. And that "somewhere" is a &lt;strong&gt;server&lt;/strong&gt; — a computer that's always on, always connected to the internet, always ready to respond.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fsyhjqyn10pn46m780cbx.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fsyhjqyn10pn46m780cbx.png" alt="A server rack inside a data center" width="700" height="393"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;A server is basically just a very powerful computer. No screen. No keyboard. Just raw computing power, sitting in a room, waiting to do its job.&lt;/p&gt;

&lt;p&gt;So when you ask "where will my app run?" — the real answer is: &lt;strong&gt;on a server, somewhere in the world.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Now comes the interesting part.&lt;/p&gt;


&lt;h2&gt;
  
  
  📅 Let's Go Back to 1999
&lt;/h2&gt;

&lt;p&gt;You have the same idea. The food app. But it's 1999.&lt;/p&gt;

&lt;p&gt;There's no AWS. No Google Cloud. No Azure.&lt;/p&gt;

&lt;p&gt;If you want your app on the internet, here's what you have to do.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 1:&lt;/strong&gt; Buy a server. (Costs: ₹5–10 lakhs minimum, or ~$5,000–10,000 USD)&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 2:&lt;/strong&gt; Find a place to put it — somewhere with stable electricity, cooling, and internet.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 3:&lt;/strong&gt; Get a fast internet connection wired to that location. (Another big monthly bill)&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 4:&lt;/strong&gt; Install the operating system yourself.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 5:&lt;/strong&gt; Configure the network, firewall, and security.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 6:&lt;/strong&gt; Deploy your app.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 7:&lt;/strong&gt; Hire someone to maintain all of this.&lt;/p&gt;

&lt;p&gt;And you haven't even launched yet.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;💡 App Idea
     ↓
🖥️  Buy a Server
     ↓
🏢  Rent Physical Space
     ↓
⚙️  Install &amp;amp; Configure Everything
     ↓
👨‍💻  Hire an IT Team
     ↓
🚀  Finally Launch  😅
     ↓
🙏  Pray it doesn't crash
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This is what companies actually did. Big companies like banks, airlines, hospitals — they built entire &lt;strong&gt;data centers&lt;/strong&gt;. Rooms (sometimes entire buildings) full of servers, with backup generators, cooling systems, and 24/7 staff.&lt;/p&gt;

&lt;p&gt;It was expensive. It was slow. And it had one massive problem.&lt;/p&gt;




&lt;h2&gt;
  
  
  📈 What Happens When You Get Popular?
&lt;/h2&gt;

&lt;p&gt;Let's say your app launches and suddenly — it blows up.&lt;/p&gt;

&lt;p&gt;100 users become 1,000. Then 10,000. Then overnight, some food blogger shares it and you hit 1 million users in a week.&lt;/p&gt;

&lt;p&gt;Your server starts struggling. Pages load slowly. Then they don't load at all.&lt;/p&gt;

&lt;p&gt;You need more servers. Fast.&lt;/p&gt;

&lt;p&gt;But here's the thing — you can't just &lt;em&gt;magic&lt;/em&gt; a server into existence. You have to:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Order it (takes weeks to ship)&lt;/li&gt;
&lt;li&gt;Install it (takes days)&lt;/li&gt;
&lt;li&gt;Configure it (takes more days)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;By the time your new server is ready, your moment has passed. Users left. They moved on.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;🚀  App goes viral
     ↓
🔥  Server overloaded
     ↓
😤  Users see errors
     ↓
📦  Order new servers
     ↓
⏳  Wait 2–4 weeks for delivery
     ↓
📬  Servers finally arrive
     ↓
💔  The moment is gone
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This wasn't a rare problem. It happened to &lt;strong&gt;everyone&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;And on the flip side — what about the slow months?&lt;/p&gt;

&lt;p&gt;You bought 10 servers to handle your peak traffic. But 8 months of the year, you're using only 2 of them. Those other 8 servers are just sitting there. Consuming electricity. Doing nothing. Costing you money every single day.&lt;/p&gt;

&lt;p&gt;You're paying for capacity you're not using.&lt;/p&gt;

&lt;p&gt;It was a lose-lose situation.&lt;/p&gt;




&lt;h2&gt;
  
  
  🤔 Someone, Somewhere Had a Wild Idea
&lt;/h2&gt;

&lt;p&gt;Around the early 2000s, a few very smart engineers started asking a question:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;What if computing power could work like electricity?&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Think about electricity. You don't build a power plant in your house. You plug into the grid. You use what you need. You pay for what you use. When you need more, you use more. When you need less, you use less.&lt;/p&gt;

&lt;p&gt;What if servers worked the same way?&lt;/p&gt;

&lt;p&gt;What if instead of buying and managing physical machines... you could just &lt;strong&gt;rent&lt;/strong&gt; computing power over the internet, scale it up or down instantly, and pay only for what you actually used?&lt;/p&gt;

&lt;p&gt;That idea — that mental shift — is what gave birth to &lt;strong&gt;cloud computing&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fbe7f1hlu9nhasxve4oa6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fbe7f1hlu9nhasxve4oa6.png" alt="Electricity power grid infrastructure" width="700" height="393"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  ☁️ What Even Is "The Cloud"?
&lt;/h2&gt;

&lt;p&gt;Here's the honest answer that most people won't give you.&lt;/p&gt;

&lt;p&gt;"The cloud" is not magic. It's not a mysterious force floating above us.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The cloud is just someone else's computer.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;More specifically — it's a massive network of servers owned by a company, connected to the internet, that you can rent and use whenever you need them.&lt;/p&gt;

&lt;p&gt;When you save a photo to Google Photos, it goes to Google's servers.&lt;br&gt;
When you watch Netflix, the video streams from Netflix's servers.&lt;br&gt;
When a company says "we moved to the cloud," they mean they stopped running their own servers and started renting space on someone else's.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The Old Way 😓&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;🧑‍💻 Your App  →  🖥️ Your Server  →  🏢 Your Data Center  →  😅 Your Problem
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;The Cloud Way 😎&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;🧑‍💻 Your App  →  🌐 Internet  →  ☁️ Cloud Provider's Servers  →  😎 Their Problem
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Simple. Elegant. And it changed everything.&lt;/p&gt;




&lt;h2&gt;
  
  
  🚀 Enter Amazon Web Services
&lt;/h2&gt;

&lt;p&gt;Now here's a plot twist you probably didn't expect.&lt;/p&gt;

&lt;p&gt;The company that figured out how to do this at massive scale — and offer it to the world — wasn't a tech company in the traditional sense.&lt;/p&gt;

&lt;p&gt;It was a &lt;strong&gt;bookstore&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Amazon.com started in 1994 selling books online. But to run their website, they had to build an enormous amount of internal infrastructure — servers, networking, databases, storage systems.&lt;/p&gt;

&lt;p&gt;And at some point around 2002–2003, Amazon's engineers realised something.&lt;/p&gt;

&lt;p&gt;They had gotten &lt;em&gt;really, really good&lt;/em&gt; at building and managing this infrastructure. So good, in fact, that they started offering these internal tools to other developers as a service.&lt;/p&gt;

&lt;p&gt;In &lt;strong&gt;2006&lt;/strong&gt;, Amazon Web Services officially launched.&lt;/p&gt;

&lt;p&gt;And the world of software was never the same again.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Foss3p96jqiij29h4jxvq.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Foss3p96jqiij29h4jxvq.png" alt="Amazon Web Services 2006 launch history" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  🌍 What Does AWS Actually Give You?
&lt;/h2&gt;

&lt;p&gt;Remember our food app from the beginning?&lt;/p&gt;

&lt;p&gt;Here's that same story — but in 2025.&lt;/p&gt;

&lt;p&gt;You finish building the app. Someone asks where it will run.&lt;/p&gt;

&lt;p&gt;You smile.&lt;/p&gt;

&lt;p&gt;You open your browser. You go to AWS. You create an account.&lt;/p&gt;

&lt;p&gt;In &lt;strong&gt;15 minutes&lt;/strong&gt;, you have:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;A server running somewhere in the world ✅&lt;/li&gt;
&lt;li&gt;Storage for your images and data ✅&lt;/li&gt;
&lt;li&gt;A database for your users ✅&lt;/li&gt;
&lt;li&gt;Automatic scaling — if 1 million users arrive tonight, AWS handles it ✅&lt;/li&gt;
&lt;li&gt;Pay only for what you use ✅&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;No hardware. No data center. No waiting weeks for a delivery.&lt;/p&gt;

&lt;p&gt;Just you, a browser, and the power of rented infrastructure at your fingertips.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;💡 App Idea
     ↓
👨‍💻  Write Your Code
     ↓
🌐  Open AWS Console
     ↓
⚡  Deploy in Minutes
     ↓
🎉  App is Live
     ↓
📈  Scales automatically as users grow
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That's the power of cloud computing. That's why AWS exists.&lt;/p&gt;

&lt;p&gt;And that's the foundation for everything we're going to learn in this series.&lt;/p&gt;




&lt;h2&gt;
  
  
  🗺️ Where Are We Headed?
&lt;/h2&gt;

&lt;p&gt;This was Chapter 0. The origin story.&lt;/p&gt;

&lt;p&gt;Here's the full journey ahead:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ch 00&lt;/strong&gt; — ✅ Before You Learn AWS &lt;em&gt;(you are here)&lt;/em&gt;&lt;br&gt;
&lt;strong&gt;Ch 01&lt;/strong&gt; — The World Before AWS: Computers, Servers &amp;amp; The Internet&lt;br&gt;
&lt;strong&gt;Ch 02&lt;/strong&gt; — Virtualization &amp;amp; Cloud Models: The Missing Bridge&lt;br&gt;
&lt;strong&gt;Ch 03&lt;/strong&gt; — Welcome to AWS: Infrastructure, Console &amp;amp; Free Tier&lt;br&gt;
&lt;strong&gt;Ch 04&lt;/strong&gt; — IAM: The Gatekeeper of AWS&lt;br&gt;
&lt;strong&gt;Ch 05&lt;/strong&gt; — EC2: Your First Server in the Cloud&lt;br&gt;
&lt;strong&gt;Ch 06&lt;/strong&gt; — EBS, AMI &amp;amp; Auto Scaling: The Complete Compute Picture&lt;br&gt;
&lt;strong&gt;Ch 07&lt;/strong&gt; — AWS CLI: Stop Clicking, Start Typing&lt;br&gt;
&lt;strong&gt;Ch 08&lt;/strong&gt; — S3: Store Anything, Forever&lt;br&gt;
&lt;strong&gt;Ch 09&lt;/strong&gt; — Databases on AWS: RDS &amp;amp; DynamoDB&lt;br&gt;
&lt;strong&gt;Ch 10&lt;/strong&gt; — Serverless: Lambda, SNS &amp;amp; SQS&lt;br&gt;
&lt;strong&gt;Ch 11&lt;/strong&gt; — Monitoring &amp;amp; Secrets: CloudWatch + Secrets Manager&lt;br&gt;
&lt;strong&gt;Ch 12&lt;/strong&gt; — Networking: Route 53, CloudFront &amp;amp; VPC&lt;br&gt;
&lt;strong&gt;Ch 13&lt;/strong&gt; — Infrastructure as Code: CloudFormation &amp;amp; Terraform&lt;br&gt;
&lt;strong&gt;Ch 14&lt;/strong&gt; — Containers: ECS &amp;amp; EKS&lt;br&gt;
&lt;strong&gt;Ch 15&lt;/strong&gt; — Billing &amp;amp; Pricing: Never Get a Surprise Bill&lt;br&gt;
&lt;strong&gt;Ch 16&lt;/strong&gt; — Capstone: Build a Full Stack App on AWS&lt;br&gt;
&lt;strong&gt;Ch 17&lt;/strong&gt; — AWS vs Azure vs GCP: An Honest Comparison&lt;br&gt;
&lt;strong&gt;Ch 18&lt;/strong&gt; — What's Next: The AWS Certifications Roadmap&lt;/p&gt;

&lt;p&gt;Two chapters of context. Then pure AWS — every single post.&lt;/p&gt;




&lt;h3&gt;
  
  
  Now here's the thing.
&lt;/h3&gt;

&lt;p&gt;You might be tempted to skip Chapter 1.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;"Computers, servers, internet — I already know this stuff."&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Maybe you do. But Chapter 1 isn't about what these things are.&lt;/p&gt;

&lt;p&gt;It's about &lt;strong&gt;why they broke&lt;/strong&gt; — and why that brokenness made AWS inevitable.&lt;/p&gt;

&lt;p&gt;That shift in perspective is what makes every AWS service &lt;em&gt;click&lt;/em&gt; instead of just being another thing to memorise.&lt;/p&gt;

&lt;p&gt;👉 &lt;strong&gt;&lt;a href="https://dev.to/srsoumyax11/the-world-before-aws-computers-servers-the-internet-3m0/"&gt;Chapter 1: The World Before AWS → (Read it here)&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  💬 One Last Thing Before You Go
&lt;/h2&gt;

&lt;p&gt;Most AWS tutorials throw you straight into the console.&lt;/p&gt;

&lt;p&gt;Create a bucket. Launch an instance. Configure a VPC.&lt;/p&gt;

&lt;p&gt;You click along. You follow steps. And somewhere in the middle, you realise — you have no idea &lt;em&gt;why&lt;/em&gt; you're doing any of this.&lt;/p&gt;

&lt;p&gt;This series is different.&lt;/p&gt;

&lt;p&gt;Every service we learn, we'll first ask: &lt;strong&gt;what problem does this solve?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Because that one question makes everything stick.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Resources I'm learning from:&lt;/em&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://roadmap.sh/aws" rel="noopener noreferrer"&gt;roadmap.sh/aws&lt;/a&gt; — my learning roadmap&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;&lt;em&gt;&lt;a href="https://docs.aws.amazon.com/whitepapers/latest/aws-overview/introduction.html" rel="noopener noreferrer"&gt;AWS Official Overview Whitepaper&lt;/a&gt; — straight from the source&lt;/em&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;#aws #cloud #beginners #devjourney #learnaws&lt;/em&gt;&lt;/p&gt;

</description>
      <category>aws</category>
      <category>beginners</category>
      <category>cloud</category>
      <category>computerscience</category>
    </item>
    <item>
      <title>Why Installing Apps on macOS Feels So Different From Windows</title>
      <dc:creator>Soumya Ranjan 🎖️</dc:creator>
      <pubDate>Sat, 23 May 2026 09:54:43 +0000</pubDate>
      <link>https://dev.to/srsoumyax11/why-installing-apps-on-macos-feels-so-different-from-windows-1ahk</link>
      <guid>https://dev.to/srsoumyax11/why-installing-apps-on-macos-feels-so-different-from-windows-1ahk</guid>
      <description>&lt;p&gt;I recently got a chance to use a macOS laptop from my friend. He had just bought it and honestly had almost no idea how macOS worked. I had a little bit of knowledge about it, so naturally I became the “tech support guy.”&lt;/p&gt;

&lt;p&gt;One day we tried installing an app.&lt;/p&gt;

&lt;p&gt;I opened YouTube, watched 2–3 tutorials, and every video showed the exact same thing:&lt;/p&gt;

&lt;p&gt;“Just drag the app into the Applications folder.”&lt;/p&gt;

&lt;p&gt;That was it.&lt;/p&gt;

&lt;p&gt;No installer.&lt;br&gt;
No next-next-finish wizard.&lt;br&gt;
No loading bars.&lt;br&gt;
No “accept terms and conditions.”&lt;br&gt;
Nothing.&lt;/p&gt;

&lt;p&gt;At first it felt strange.&lt;/p&gt;

&lt;p&gt;As someone who used Windows for years, my brain was expecting an &lt;code&gt;.exe&lt;/code&gt; installer, registry updates, shortcuts, setup screens, and maybe even a forced restart.&lt;/p&gt;

&lt;p&gt;But on macOS?&lt;/p&gt;

&lt;p&gt;You drag an icon into a folder and suddenly the application is installed.&lt;/p&gt;

&lt;p&gt;That made me curious.&lt;/p&gt;

&lt;p&gt;Why is installing apps on macOS so simple?&lt;br&gt;
And why does Windows need installers for almost everything?&lt;/p&gt;

&lt;p&gt;So I started digging deeper, and what I found was surprisingly interesting.&lt;/p&gt;


&lt;h2&gt;
  
  
  The First Weird Discovery
&lt;/h2&gt;

&lt;p&gt;On macOS, applications usually end with &lt;code&gt;.app&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;At first, I thought &lt;code&gt;.app&lt;/code&gt; in macOS was equivalent to &lt;code&gt;.exe&lt;/code&gt; in Windows.&lt;/p&gt;

&lt;p&gt;Turns out that assumption is completely wrong.&lt;/p&gt;

&lt;p&gt;I opened the Applications folder from the terminal and listed its contents.&lt;/p&gt;

&lt;p&gt;Everything looked normal at first:&lt;br&gt;
Firefox.app&lt;br&gt;
Safari.app&lt;br&gt;
Discord.app&lt;/p&gt;

&lt;p&gt;These looked like executable files.&lt;/p&gt;

&lt;p&gt;But when I checked their actual file type, something unexpected appeared.&lt;/p&gt;

&lt;p&gt;They were not files.&lt;/p&gt;

&lt;p&gt;They were directories.&lt;/p&gt;

&lt;p&gt;Folders.&lt;/p&gt;

&lt;p&gt;That completely changed my understanding.&lt;/p&gt;

&lt;p&gt;Finder, the macOS file manager, visually shows applications like single executable objects. But internally, they are actually structured folders containing many files.&lt;/p&gt;

&lt;p&gt;In simple words:&lt;/p&gt;

&lt;p&gt;A macOS app is basically a special folder pretending to be a single application.&lt;/p&gt;


&lt;h2&gt;
  
  
  Why Double-Clicking Works in Finder But Not in Terminal
&lt;/h2&gt;

&lt;p&gt;Here’s where things become interesting.&lt;/p&gt;

&lt;p&gt;If you double-click Firefox in Finder, the browser launches normally.&lt;/p&gt;

&lt;p&gt;But if you try running &lt;code&gt;Firefox.app&lt;/code&gt; directly from the terminal like an executable, it fails.&lt;/p&gt;

&lt;p&gt;Why?&lt;/p&gt;

&lt;p&gt;Because the terminal and the kernel see reality differently than Finder does.&lt;/p&gt;

&lt;p&gt;The kernel only sees a directory.&lt;br&gt;
And directories cannot be executed as programs.&lt;/p&gt;

&lt;p&gt;This confusion happens because Finder abstracts the complexity away from users.&lt;/p&gt;

&lt;p&gt;Finder says:&lt;/p&gt;

&lt;p&gt;“Hey, this folder should behave like an application.”&lt;/p&gt;

&lt;p&gt;The terminal says:&lt;/p&gt;

&lt;p&gt;“That’s literally just a folder.”&lt;/p&gt;

&lt;p&gt;And technically, the terminal is correct.&lt;/p&gt;


&lt;h2&gt;
  
  
  What Actually Happens When a Program Launches
&lt;/h2&gt;

&lt;p&gt;In Unix-like systems such as macOS and Linux, launching a program usually involves system calls like:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;fork()&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;execve()&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The operating system creates a process and then replaces it with the executable program.&lt;/p&gt;

&lt;p&gt;But here’s the problem:&lt;/p&gt;

&lt;p&gt;&lt;code&gt;Firefox.app&lt;/code&gt; itself is not the executable.&lt;/p&gt;

&lt;p&gt;It is only a container.&lt;/p&gt;

&lt;p&gt;The real executable binary exists somewhere inside that folder.&lt;/p&gt;

&lt;p&gt;So when the terminal tries to execute the &lt;code&gt;.app&lt;/code&gt; path directly, the kernel refuses because it received a directory instead of a binary executable file.&lt;/p&gt;

&lt;p&gt;That’s why macOS provides the &lt;code&gt;open&lt;/code&gt; command.&lt;/p&gt;

&lt;p&gt;When you run:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;open Firefox.app
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;macOS internally checks the application bundle, finds the real executable, and launches it properly.&lt;/p&gt;




&lt;h2&gt;
  
  
  The Idea of Application Bundles
&lt;/h2&gt;

&lt;p&gt;At this point, another question appeared in my head.&lt;/p&gt;

&lt;p&gt;If applications are just executable files, why not simply keep all executables in one folder?&lt;/p&gt;

&lt;p&gt;Because modern applications are much bigger than a single binary.&lt;/p&gt;

&lt;p&gt;A real desktop application usually contains:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Icons&lt;/li&gt;
&lt;li&gt;Images&lt;/li&gt;
&lt;li&gt;Fonts&lt;/li&gt;
&lt;li&gt;Configuration files&lt;/li&gt;
&lt;li&gt;Dynamic libraries&lt;/li&gt;
&lt;li&gt;Plugins&lt;/li&gt;
&lt;li&gt;Localization files&lt;/li&gt;
&lt;li&gt;Frameworks&lt;/li&gt;
&lt;li&gt;Assets&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;All these resources are necessary for the application to function properly.&lt;/p&gt;

&lt;p&gt;macOS solves this problem using something called an &lt;strong&gt;Application Bundle&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Instead of scattering dozens of files across the system, macOS groups everything into a single structured folder with the &lt;code&gt;.app&lt;/code&gt; extension.&lt;/p&gt;

&lt;p&gt;To the user, it looks like one app.&lt;br&gt;
Internally, it is an organized package.&lt;/p&gt;

&lt;p&gt;Honestly, this is a very elegant design.&lt;/p&gt;


&lt;h2&gt;
  
  
  Finder Is Not the Kernel
&lt;/h2&gt;

&lt;p&gt;One of the most important things I learned during this exploration was this:&lt;/p&gt;

&lt;p&gt;The kernel is not responsible for how applications look in the graphical interface.&lt;/p&gt;

&lt;p&gt;That responsibility belongs to user-space programs like:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Finder&lt;/li&gt;
&lt;li&gt;Desktop environments&lt;/li&gt;
&lt;li&gt;File managers&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The kernel only provides access to the filesystem.&lt;/p&gt;

&lt;p&gt;The graphical layer decides how things should appear to humans.&lt;/p&gt;

&lt;p&gt;That means Finder intentionally hides complexity.&lt;/p&gt;

&lt;p&gt;It sees a &lt;code&gt;.app&lt;/code&gt; directory and says:&lt;/p&gt;

&lt;p&gt;“I will display this as a beautiful application icon instead of a normal folder.”&lt;/p&gt;

&lt;p&gt;This is why macOS feels polished.&lt;/p&gt;

&lt;p&gt;A lot of complexity is hidden behind abstractions.&lt;/p&gt;


&lt;h2&gt;
  
  
  What Exists Inside a macOS App?
&lt;/h2&gt;

&lt;p&gt;Once I discovered &lt;code&gt;.app&lt;/code&gt; files were folders, I wanted to see what was actually inside them.&lt;/p&gt;

&lt;p&gt;macOS allows this through:&lt;/p&gt;

&lt;p&gt;“Show Package Contents”&lt;/p&gt;

&lt;p&gt;And suddenly the illusion disappears.&lt;/p&gt;

&lt;p&gt;Inside a typical app bundle, you usually find something like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;MyApp.app
└── Contents
    ├── MacOS
    ├── Resources
    ├── Frameworks
    └── Info.plist
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Each folder has a specific purpose.&lt;/p&gt;

&lt;h3&gt;
  
  
  MacOS
&lt;/h3&gt;

&lt;p&gt;Contains the actual executable binary.&lt;/p&gt;

&lt;h3&gt;
  
  
  Resources
&lt;/h3&gt;

&lt;p&gt;Contains icons, images, assets, localization files, and UI resources.&lt;/p&gt;

&lt;h3&gt;
  
  
  Frameworks
&lt;/h3&gt;

&lt;p&gt;Contains dependencies and libraries the app needs.&lt;/p&gt;

&lt;h3&gt;
  
  
  Info.plist
&lt;/h3&gt;

&lt;p&gt;This is the most important file.&lt;/p&gt;

&lt;p&gt;It tells macOS things like:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Application name&lt;/li&gt;
&lt;li&gt;Executable location&lt;/li&gt;
&lt;li&gt;App icon&lt;/li&gt;
&lt;li&gt;Version information&lt;/li&gt;
&lt;li&gt;Supported file types&lt;/li&gt;
&lt;li&gt;Permissions&lt;/li&gt;
&lt;li&gt;Capabilities&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;In many ways, &lt;code&gt;Info.plist&lt;/code&gt; acts like the identity card of the application.&lt;/p&gt;

&lt;p&gt;Finder reads this file to understand how the application should behave.&lt;/p&gt;




&lt;h2&gt;
  
  
  Why Windows Uses Installers
&lt;/h2&gt;

&lt;p&gt;Then I compared this behavior with Windows.&lt;/p&gt;

&lt;p&gt;On Windows, applications are usually stored inside:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;Program Files&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Program Files (x86)&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;But unlike macOS, Windows does not treat application folders as special bundles.&lt;/p&gt;

&lt;p&gt;Instead, Windows relies heavily on executable files (&lt;code&gt;.exe&lt;/code&gt;) and something extremely important called the &lt;strong&gt;Windows Registry&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;The registry is basically a massive centralized database that stores information about installed applications.&lt;/p&gt;

&lt;p&gt;Things like:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;File associations&lt;/li&gt;
&lt;li&gt;Default programs&lt;/li&gt;
&lt;li&gt;Start menu integration&lt;/li&gt;
&lt;li&gt;Uninstall information&lt;/li&gt;
&lt;li&gt;Application paths&lt;/li&gt;
&lt;li&gt;Context menu actions&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This is why Windows installers exist.&lt;/p&gt;

&lt;p&gt;The installer does more than just copying files.&lt;/p&gt;

&lt;p&gt;It also:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Updates the registry&lt;/li&gt;
&lt;li&gt;Creates shortcuts&lt;/li&gt;
&lt;li&gt;Registers file types&lt;/li&gt;
&lt;li&gt;Integrates the app into the operating system&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Without these setup steps, Windows would not fully recognize the application.&lt;/p&gt;

&lt;p&gt;So in Windows, installation is not only about placing files somewhere.&lt;/p&gt;

&lt;p&gt;It is about integrating the app into the entire operating system.&lt;/p&gt;




&lt;h2&gt;
  
  
  The Interesting Difference
&lt;/h2&gt;

&lt;p&gt;This is where the real philosophical difference appears.&lt;/p&gt;

&lt;p&gt;macOS bundles most application metadata inside the application itself.&lt;/p&gt;

&lt;p&gt;Windows stores much of that information separately in the registry.&lt;/p&gt;

&lt;p&gt;macOS says:&lt;br&gt;
“The app carries its own identity.”&lt;/p&gt;

&lt;p&gt;Windows says:&lt;br&gt;
“The system keeps track of the app.”&lt;/p&gt;

&lt;p&gt;Neither design is necessarily wrong.&lt;/p&gt;

&lt;p&gt;They are simply different approaches.&lt;/p&gt;




&lt;h2&gt;
  
  
  What About Linux?
&lt;/h2&gt;

&lt;p&gt;Linux becomes even more interesting.&lt;/p&gt;

&lt;p&gt;Linux itself is only a kernel.&lt;/p&gt;

&lt;p&gt;Different Linux distributions combine that kernel with different desktop environments, package managers, and user-space utilities.&lt;/p&gt;

&lt;p&gt;Because of that, Linux does not have one universal installation method.&lt;/p&gt;

&lt;p&gt;Some systems use:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;.deb&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;.rpm&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Flatpak&lt;/li&gt;
&lt;li&gt;Snap&lt;/li&gt;
&lt;li&gt;AppImage&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Different desktop environments also handle applications differently.&lt;/p&gt;

&lt;p&gt;However, many Linux systems follow shared standards like the XDG Desktop Entry Specification to improve compatibility between environments.&lt;/p&gt;

&lt;p&gt;But compared to macOS and Windows, Linux gives much more flexibility — and sometimes much more chaos.&lt;/p&gt;




&lt;h2&gt;
  
  
  The Real Reason macOS Installation Feels Magical
&lt;/h2&gt;

&lt;p&gt;After understanding all this, the “drag and drop installation” no longer felt magical.&lt;/p&gt;

&lt;p&gt;It finally made sense.&lt;/p&gt;

&lt;p&gt;When you drag an app into the Applications folder on macOS, you are not installing a tiny executable.&lt;/p&gt;

&lt;p&gt;You are moving an entire self-contained application bundle.&lt;/p&gt;

&lt;p&gt;Everything the application needs already exists inside that package.&lt;/p&gt;

&lt;p&gt;Finder simply understands how to interpret and launch it.&lt;/p&gt;

&lt;p&gt;And honestly, once you understand the architecture behind it, the design feels incredibly smart.&lt;/p&gt;

&lt;p&gt;What looked simple on the surface was actually hiding a beautifully engineered system underneath.&lt;/p&gt;

</description>
      <category>beginners</category>
      <category>discuss</category>
      <category>software</category>
      <category>ux</category>
    </item>
  </channel>
</rss>
