Compute and Storage Cheat Sheet
EC2 instance types are grouped into families signaled by their first letter: 't' and 'm' instances are general purpose (t3.micro for light, bursty workloads; m6i for balanced steady-state workloads), 'c' instances are compute-optimized for CPU-bound work like batch processing, 'r' instances are memory-optimized for in-memory caches and large databases, and 'g'/'p' instances carry GPUs for machine learning or graphics workloads. On the storage side, S3 offers several storage classes trading cost against retrieval speed and durability guarantees: S3 Standard for frequently accessed data, S3 Standard-IA and S3 One Zone-IA for infrequent access at lower cost, S3 Glacier Instant Retrieval through S3 Glacier Deep Archive for archival data accessed rarely, from minutes to 12+ hours to retrieve.
Cricket analogy: General-purpose t3/m6i instances are like an all-rounder who can bat and bowl reliably in any situation, while compute-optimized c-family instances are like a specialist strike bowler brought on specifically for the death overs.
Networking and Database Quick Facts
A VPC is defined by a CIDR block (e.g., 10.0.0.0/16), which is then divided into smaller subnets (e.g., 10.0.1.0/24) that each live entirely within one Availability Zone; AWS reserves the first four and the last IP address in every subnet, so a /24 subnet yields 251 usable addresses rather than 256. On the database side, RDS provisions and manages traditional relational engines (PostgreSQL, MySQL, MariaDB, SQL Server, Oracle) with automated backups, patching, and Multi-AZ failover, while DynamoDB is a fully managed NoSQL key-value and document database that scales horizontally with single-digit-millisecond latency at any scale, at the cost of giving up SQL joins and requiring access patterns to be designed up front around the partition key.
Cricket analogy: A VPC's CIDR block is like a stadium's total seating capacity, and subnets are like sections carved out within it — a few seats near each entrance are always reserved for stewards, just as AWS reserves five IPs per subnet.
IAM and Security Essentials
Every IAM policy document has a Version, and one or more Statements, each with an Effect (Allow or Deny), an Action (like s3:GetObject), and a Resource (an ARN specifying exactly what the action applies to); a policy without an explicit Allow for an action results in that action being denied by default. Multi-factor authentication (MFA) should be enabled on the root account and on any IAM user with console access, since a compromised password alone should never be sufficient to take destructive action. AWS Key Management Service (KMS) manages the encryption keys used across services like S3, EBS, and RDS, letting you rotate keys and control exactly which IAM principals are permitted to use a given key to encrypt or decrypt data.
Cricket analogy: An IAM policy's Effect/Action/Resource structure is like an umpire's decision format — decision (out or not out), the specific law invoked (LBW, run out), and the exact delivery it applies to — nothing is assumed without all three specified.
Common CLI Commands
Before running any AWS CLI command, aws configure sets up your access key, secret key, default region, and output format, storing them in ~/.aws/credentials and ~/.aws/config. From there, most day-to-day work uses a small, memorable set of commands: aws s3 ls and aws s3 sync for bucket contents, aws ec2 describe-instances to inspect running instances, aws logs tail to stream CloudWatch Logs from the terminal, and aws sts get-caller-identity to quickly confirm which IAM identity and account your current credentials actually resolve to — an essential first step when debugging unexpected permission errors.
Cricket analogy: aws configure is like a player registering their kit and squad number before the season starts, while aws sts get-caller-identity is like checking the scoreboard to confirm which team and player is actually credited with the current innings.
# Quick reference: common AWS CLI commands
aws configure # set access key, secret key, region, output format
aws sts get-caller-identity # confirm which IAM identity is currently active
aws s3 ls # list your S3 buckets
aws s3 sync ./build s3://my-bucket/ --delete # sync a local folder to S3
aws ec2 describe-instances --query \
"Reservations[].Instances[].[InstanceId,State.Name]" --output table
aws logs tail /aws/lambda/my-function --follow # stream CloudWatch Logs liveAWS's global infrastructure has three layers worth remembering: Regions (large geographic areas like us-east-1), Availability Zones (isolated data centers within a Region, used for high availability), and Edge Locations (smaller sites used by CloudFront and Route 53 to cache content close to end users worldwide).
Never use the AWS root account for day-to-day work — it has unrestrictable permissions that cannot be limited by any IAM policy. Enable MFA on it immediately after account creation, store its credentials securely, and create a separate IAM administrator (or use IAM Identity Center) for actual daily operations.
- EC2 instance family letters hint at purpose: t/m general purpose, c compute-optimized, r memory-optimized, g/p GPU-accelerated.
- S3 storage classes trade cost against retrieval speed, from Standard down to Glacier Deep Archive.
- A VPC's CIDR block is subdivided into per-AZ subnets, with 5 IP addresses reserved per subnet by AWS.
- RDS manages relational engines with Multi-AZ failover; DynamoDB is a horizontally scaling NoSQL key-value store.
- Every IAM policy statement needs an Effect, Action, and Resource; actions are denied by default without an explicit Allow.
- aws sts get-caller-identity is the fastest way to confirm which IAM identity your current CLI session is using.
- The root account should never be used day-to-day; enable MFA on it and use a separate IAM administrator instead.
Practice what you learned
1. How many IP addresses does AWS reserve in every VPC subnet, regardless of size?
2. Which AWS CLI command quickly confirms which IAM identity your current credentials resolve to?
3. Which EC2 instance family letter typically indicates a memory-optimized instance?
4. What is the default effect of an IAM action if no policy explicitly allows it?
Was this page helpful?
You May Also Like
CloudWatch Monitoring Basics
Learn how Amazon CloudWatch collects metrics and logs from your AWS resources, and how to build alarms that alert you before small issues become outages.
AWS Interview Questions
Common categories of AWS interview questions, with the reasoning interviewers are actually testing for and how to structure strong answers.
The AWS Well-Architected Framework
A structured overview of the six pillars AWS uses to evaluate cloud architectures, and the practical trade-offs engineers face applying them.