00. AWS core — ELI5¶

AWS is a country-sized data centre split into walled cities. Each city (region) has its own buildings (services). Inside, IAM is the guard who checks your badge for every door. VPC is the city's road network. EC2 is rentable rooms. S3 is the city archive. RDS is the operated database department. Everything you do in AWS is one of these.

You walk into an AWS region — say ap-south-1 (Mumbai). The first thing you encounter is the guard: IAM (Identity and Access Management). The guard checks your badge: who you are, what you're allowed to do, and on which resources. Before you can do anything else, IAM has to say yes.

Past the guard, you see the road network: the VPC (Virtual Private Cloud). This is your private slice of the region. Subnets are blocks; route tables tell traffic where to go; security groups are doormen at each building.

In the VPC, you see rented rooms: EC2 instances. Each is a virtual computer you operate. Above EC2, there are buildings that operate themselves: RDS (managed databases), S3 (object storage), Lambda (run code on demand), SQS (queues — separate module), CloudWatch (logging and metrics).

The pattern is: AWS handles undifferentiated heavy lifting; you compose services that you don't have to operate. The cost is a learning curve — each service has its own model, its own quirks, its own cost surprises.

The recurring vocabulary¶

Name	What it is
account	the top-level billing/security boundary; one account = one bill, one IAM root
region	a geographically separate cluster of data centres (e.g., `us-east-1`, `ap-south-1`)
availability zone (AZ)	a data centre within a region; multi-AZ deployments survive single-DC failure
IAM	the identity service; users, roles, policies, permissions
VPC	virtual private cloud — your private network in a region
subnet	a CIDR slice of the VPC; placed in one AZ
security group	a stateful firewall attached to an instance/resource
EC2	virtual machines
S3	object storage; effectively unlimited; eventually consistent in places
RDS	managed relational databases (Postgres, MySQL, Aurora)
CloudWatch	the logs + metrics + alarms service
Route 53	DNS
ELB	load balancers (Application, Network, Gateway)

The picture¶

        ┌───────────────────────────────────────────────────────┐
        │   AWS Account (billing + IAM root)                    │
        │                                                       │
        │   ┌─────────────────────────────────────────────────┐ │
        │   │  Region: ap-south-1 (Mumbai)                    │ │
        │   │                                                 │ │
        │   │  ┌──────────────┐  ┌──────────────┐             │ │
        │   │  │   AZ 1a       │  │   AZ 1b      │   AZ 1c   │ │
        │   │  │              │  │              │            │ │
        │   │  │  Subnet      │  │  Subnet      │            │ │
        │   │  │  (public)    │  │  (private)   │            │ │
        │   │  │              │  │              │            │ │
        │   │  │  EC2 ──→ ELB │  │  RDS primary │            │ │
        │   │  │              │  │  RDS replica │            │ │
        │   │  └──────────────┘  └──────────────┘            │ │
        │   │                                                 │ │
        │   │   ┌──────────────────────────────────┐         │ │
        │   │   │ S3 buckets (regional, multi-AZ)  │         │ │
        │   │   └──────────────────────────────────┘         │ │
        │   │                                                 │ │
        │   │   IAM (account-wide; not in any subnet)         │ │
        │   │   CloudWatch (account-wide per region)          │ │
        │   └─────────────────────────────────────────────────┘ │
        │                                                       │
        │   (Other regions exist; resources are mostly per-region)
        └───────────────────────────────────────────────────────┘

The hierarchy: account → region → AZ → resources. IAM and S3 are mostly account-wide. EC2, RDS, ELB are AZ-aware (deploy across AZs for HA).

Two facts that surprise new AWS users¶

Most things are per-region. An S3 bucket in us-east-1 is not visible in ap-south-1 without cross-region replication. An EC2 instance in us-east-1 cannot directly join a VPC in ap-south-1. Multi-region requires explicit setup.

Cost is opaque until you watch it. A single misconfigured resource (NAT Gateway, NAT traffic, cross-AZ transfer, CloudWatch log ingest, KMS API calls) can cost ₹10,000-₹100,000 in a month. The bill arrives 30 days later, often with surprises. Cost monitoring is not optional.

What this module covers¶

01-iam-vpc-account-internals.md — IAM identity model, VPC networking primitives, security groups, the account structure.
02-ec2-s3-rds-day-to-day.md — EC2 instances, S3 buckets and objects, RDS databases, the services you touch daily.
03-cost-quotas-region-prod-gotchas.md — Cost surprises, service quotas, multi-region patterns, the production gotchas.

What this module is not about¶

All 200+ AWS services. This module covers the core that 80% of teams use 80% of the time.
AWS certification material per se. The material may overlap; the goal is production fluency, not certification.
Comparisons to GCP or Azure. Touched lightly where relevant.

Bridge. Before launching anything in AWS, we see the guard (IAM) and the road network (VPC). Chapter 01 opens both. → 01-iam-vpc-account-internals.md