AWS Core Services Cheatsheet: Quick Reference Guide
This page covers the AWS services you will encounter most often in cloud engineering, DevOps, and SRE roles. It is organised by category with a brief description of each service and when to reach for it.
Compute#
EC2 (Elastic Compute Cloud)#
Virtual machines on AWS. You choose the OS, instance size, and configuration. Instances are billed per second (minimum 60 seconds) while running.
EC2 instance families
| Family | Purpose | Example types |
|---|---|---|
| General purpose | Balanced CPU/memory for most workloads | t3, m6i, m7i |
| Compute optimised | High CPU-to-memory ratio | c6i, c7i |
| Memory optimised | High memory for in-memory databases | r6i, r7i, x2idn |
| Storage optimised | High local disk throughput and IOPS | i3, i4i, d3 |
| GPU / accelerated | ML training, video encoding, HPC | p4, g5, inf2 |
t3 instances are burstable — cheap for low-CPU workloads that occasionally spike. m6i is a solid default for most web applications.
Auto Scaling Groups (ASG)#
Automatically add or remove EC2 instances based on demand or a schedule. Used with a load balancer to distribute traffic across the fleet. Define minimum, desired, and maximum instance counts.
Elastic Beanstalk#
A managed platform for deploying web applications. You upload your code; Beanstalk handles provisioning, load balancing, scaling, and health monitoring. Good for teams that want a simple deployment model without managing underlying infrastructure directly.
Lambda#
Serverless function execution. You provide code; AWS runs it in response to events (HTTP request via API Gateway, S3 upload, SQS message, scheduled cron, etc.). Billed per request and per 100ms of execution. Maximum timeout is 15 minutes. No server management required.
ECS (Elastic Container Service)#
AWS-native container orchestration. Run Docker containers on a cluster of EC2 instances (EC2 launch type) or without managing instances at all (Fargate launch type). Simpler than Kubernetes; integrates tightly with other AWS services.
EKS (Elastic Kubernetes Service)#
Managed Kubernetes on AWS. AWS handles the control plane; you manage worker nodes (or use Fargate for serverless node management). Use when you need Kubernetes compatibility, multi-cloud portability, or the full Kubernetes ecosystem.
Fargate#
Serverless compute for containers. Works with both ECS and EKS. You define CPU and memory per task/pod; AWS provisions the underlying infrastructure. No EC2 instances to patch or manage.
Storage#
S3 (Simple Storage Service)#
Object storage. Store files (objects) in buckets. Accessed via HTTP API. Highly durable (11 nines). Used for backups, static website hosting, data lakes, application assets, and log archives.
S3 storage classes
| Class | Use case | Retrieval |
|---|---|---|
| Standard | Frequently accessed data | Immediate |
| Intelligent-Tiering | Unknown or changing access patterns | Immediate (auto-moves between tiers) |
| Standard-IA | Infrequently accessed, needs fast retrieval | Immediate |
| Glacier Instant Retrieval | Archives accessed a few times per year | Milliseconds |
| Glacier Flexible Retrieval | Archives rarely accessed | Minutes to hours |
| Glacier Deep Archive | Lowest cost long-term archive | 12 hours |
EBS (Elastic Block Store)#
Block storage volumes attached to EC2 instances. Behaves like a local disk. Not shared — one volume attaches to one instance at a time (with exceptions for multi-attach io2).
EBS volume types
| Type | Characteristics |
|---|---|
| gp3 | General purpose SSD, cost-effective default |
| io2 / io2 Block Express | High-performance SSD for I/O-intensive databases |
| st1 | Throughput-optimised HDD for sequential workloads |
| sc1 | Cold HDD, lowest cost for infrequently accessed data |
EFS (Elastic File System)#
Managed NFS file system. Can be mounted by multiple EC2 instances simultaneously, including across Availability Zones. Scales automatically. Good for shared application configurations, CMS media, and container persistent storage.
FSx#
Managed file systems for specific use cases. FSx for Windows File Server provides SMB-compatible shares. FSx for Lustre provides high-performance parallel storage for HPC and ML workloads.
Networking#
VPC (Virtual Private Cloud)#
Your isolated private network in AWS. All resources launch into a VPC. You define the IP address range (CIDR), subnets, route tables, and security settings.
Key VPC components
| Component | Purpose |
|---|---|
| Subnet | Subdivision of a VPC tied to one Availability Zone |
| Internet Gateway (IGW) | Enables internet access for resources in public subnets |
| NAT Gateway | Allows private subnet resources to reach the internet without being reachable from it |
| Route Table | Rules controlling where network traffic is directed |
| Security Group | Stateful firewall at the resource (instance) level |
| Network ACL | Stateless firewall at the subnet level |
Route 53#
Managed DNS service. Supports A, AAAA, CNAME, MX, TXT, and alias records. Includes health checks and DNS failover routing. Can route based on latency, geolocation, or weighted rules.
CloudFront#
Content Delivery Network (CDN). Caches content at edge locations globally to reduce latency for end users. Integrates with S3 (for static sites) and ALB or EC2 (for dynamic content). Also provides DDoS protection via AWS Shield Standard.
Elastic Load Balancing#
| Type | Layer | Use case |
|---|---|---|
| ALB (Application Load Balancer) | L7 (HTTP/HTTPS) | Path-based routing, host-based routing, WebSockets |
| NLB (Network Load Balancer) | L4 (TCP/UDP) | Ultra-low latency, static IP, non-HTTP protocols |
| CLB (Classic Load Balancer) | L4/L7 | Legacy only — do not use for new workloads |
VPC Peering vs Transit Gateway#
VPC Peering connects two VPCs directly. Does not support transitive routing (A→B and B→C does not mean A→C). Works across accounts and regions.
Transit Gateway acts as a central hub connecting many VPCs and on-premises networks. Supports transitive routing. Simpler to manage at scale than a full mesh of VPC peering connections.
Database#
RDS (Relational Database Service)#
Managed relational databases. Supports MySQL, PostgreSQL, MariaDB, Oracle, and SQL Server. AWS handles backups, patching, failover, and replication. Multi-AZ deployment provides automatic failover.
Aurora#
AWS-native relational database. Compatible with MySQL and PostgreSQL. Distributed storage that replicates across 3 AZs with 6 copies of data. Up to 5x faster than standard MySQL. Aurora Serverless v2 scales capacity automatically and is a good default for variable workloads.
DynamoDB#
Fully managed NoSQL database. Supports key-value and document data models. Single-digit millisecond latency at any scale. Serverless — no cluster to provision. Good for session stores, gaming leaderboards, IoT data, and any workload with high-velocity reads and writes.
ElastiCache#
Managed in-memory caching. Supports Redis (rich data structures, persistence, pub/sub, cluster mode) and Memcached (simpler, multi-threaded). Use in front of RDS or DynamoDB to reduce latency and cost for frequently read data.
Redshift#
Managed data warehouse. Columnar storage optimised for analytical queries across large datasets. Integrates with S3 (via Redshift Spectrum to query data directly in S3), Glue, and QuickSight. Use for business intelligence, reporting, and ad-hoc analytics.
IAM and Security#
| Service / Concept | Purpose |
|---|---|
| IAM Users | Long-lived identities for humans — prefer SSO/federated identity at scale |
| IAM Groups | Collections of users; attach policies to a group rather than individual users |
| IAM Roles | Temporary credentials assumed by services, EC2 instances, Lambda functions, or federated users |
| IAM Policies | JSON documents defining allowed or denied actions on resources |
| AWS Organizations | Manage multiple AWS accounts; apply SCPs across the org |
| SCPs (Service Control Policies) | Guardrails on what actions can be performed in member accounts — even by root users |
| KMS (Key Management Service) | Create and manage encryption keys; integrates with S3, EBS, RDS, and most AWS services |
| Secrets Manager | Store and rotate credentials, API keys, and database passwords automatically |
| Parameter Store | SSM feature for storing configuration values and secrets; cheaper than Secrets Manager for non-rotating values |
| CloudTrail | Logs every API call made in your AWS account — essential for security audits |
| GuardDuty | Threat detection using ML; analyses CloudTrail, VPC Flow Logs, and DNS logs to identify anomalous behaviour |
Serverless and Application Services#
| Service | Purpose |
|---|---|
| Lambda | Event-driven function execution |
| API Gateway | HTTP API front end for Lambda or any HTTP backend; handles auth, throttling, and caching |
| SQS (Simple Queue Service) | Managed message queue; decouples producers from consumers; standard (at-least-once) and FIFO queues |
| SNS (Simple Notification Service) | Pub/sub messaging; fan out notifications to multiple subscribers (SQS, Lambda, email, HTTP) |
| EventBridge | Serverless event bus; route events from AWS services, custom apps, or SaaS partners to targets |
| Step Functions | Visual workflow orchestration; chain Lambda functions and AWS service calls with error handling and retries |
Monitoring#
| Service | Purpose |
|---|---|
| CloudWatch Metrics | Time-series metrics from AWS services and custom applications |
| CloudWatch Logs | Log storage and querying; use Logs Insights for SQL-like log queries |
| CloudWatch Alarms | Trigger notifications or Auto Scaling actions when metrics cross thresholds |
| CloudTrail | API call audit logging — separate from CloudWatch |
| AWS Config | Track configuration changes to AWS resources; evaluate against compliance rules |
| X-Ray | Distributed tracing for applications built on Lambda, ECS, EC2, and API Gateway |
AWS Certification Path#
| Level | Certification |
|---|---|
| Foundational | AWS Certified Cloud Practitioner |
| Associate | Solutions Architect Associate, SysOps Administrator Associate, Developer Associate |
| Professional | Solutions Architect Professional, DevOps Engineer Professional |
| Specialty | Security, Networking, Database, Machine Learning, Data Analytics, and others |
For most engineers entering cloud roles, Solutions Architect Associate is the recommended starting point after Cloud Practitioner.