#AWS
13 posts
-
Understanding AWS Credential Federation — How IAM, STS, and OIDC Actually Fit Together
A foundational guide for engineers who followed a GitHub Actions OIDC tutorial but still aren't sure what STS really is, why it has no console page, what 'federation' actually means, or why the trust policy's sub condition matters so much. Covers IAM/STS/OIDC mechanics in depth, plus SAML, IAM Identity Center, and EKS IRSA as variants of the same pattern.
-
AWS Private EC2 Operations Guide Part 5: Cost Analysis and Optimization — NAT, ALB, EC2, and Data Transfer
Pull the monthly bill of the environment Parts 1–4 produced apart, line by line, and find where to cut. Real numbers for NAT Gateway, ALB, EC2, and data transfer; the levers that matter (S3 Gateway Endpoint, Graviton, Savings Plans); and budget templates for side-project, startup, and enterprise tiers.
-
AWS Private EC2 Operations Guide Part 4: Deploying to Private EC2 from GitHub Actions — OIDC, SSM Run Command, CodeDeploy
Build a deployment pipeline that puts no port 22 and no AWS access key on the path. OIDC federation removes static credentials, S3 acts as the artifact hub, and either SSM Run Command (simple) or CodeDeploy (zero-downtime) lands the code on the instance.
-
AWS Private EC2 Operations Guide Part 3: Connecting Without Bastion via SSM Session Manager — IAM Role, VPC Endpoint, and Port Forwarding
How to land a shell on a Private EC2 without ever opening port 22. The mechanics of SSM Session Manager (the agent polls AWS), the three prerequisites (Agent / IAM / network path), the cost trade-off between NAT Gateway and VPC Endpoints, and the port-forwarding pattern that securely reaches RDS without a VPN.
-
AWS Private EC2 Operations Guide Part 2: Building VPC Infrastructure with Terraform — VPC/Subnet/Route Table/SG/ALB/EC2 in a Single main.tf
Turn the Part 1 architecture into real code. We build a 10.0.0.0/16 VPC, 2AZ Public/Private subnets, IGW/NAT Gateway, the SG-references-SG pattern, and ALB + EC2 — all in one main.tf that comes up with a single terraform apply.
-
AWS Private EC2 Operations Guide Part 1: Why Private Subnet? — The ALB + NAT Gateway Standard Architecture and Sizing-Based Decision Criteria
We unpack the 'why' behind the standard pattern of placing EC2 in a Private Subnet wrapped by ALB and NAT Gateway. Public IPv4 vs Elastic IP, sizing recommendations, HA basics, and the concrete risks of putting PII-handling servers in a Public Subnet. Part 1 of a Bastion-less AWS EC2 operations series.
-
Terraform Fundamentals: A Complete Guide
A comprehensive guide covering IaC fundamentals, Terraform core concepts, workflow, state management, and modules for developers getting started with infrastructure as code
-
Building a GitOps Pipeline with ArgoCD on EKS
A guide to installing ArgoCD on EKS and building a complete GitOps CI/CD pipeline with GitHub Actions
-
Production-Level EKS Cluster Setup Guide
A practical guide to building production-grade EKS clusters from eksctl to Terraform, including networking setup
-
AWS Database Selection Guide: EC2+Docker vs RDS vs Aurora
How to choose between running a DB directly on EC2 with Docker, RDS, Aurora, and Aurora Serverless v2 — a detailed comparison based on cost, performance, and operational burden
-
Complete Guide to AWS CLI Setup and Resource Queries
A comprehensive guide to AWS CLI authentication methods (CloudShell, IAM Identity Center, access keys) and resource query commands for major services
-
AWS Bastion Host Setup Guide
A complete guide to configuring SSH access to Private EC2 instances through a Bastion Host
-
AWS EC2 Guide
A complete guide from EC2 instance basics to production operations