AWS, service by service.
Sixteen pages, one per service or service-family, each ending in a CLI lab you can actually run. The point isn't to memorise the API surface — it's to know the model well enough that you can reason about failure, pricing, and the boundaries where one service ends and another begins. Pairs with the Cloud Codex above, which is the same material organised by topic instead of by service.
What this is, and why service-shaped
The Cloud Codex above is organised by topic — compute, storage, networking, identity, databases. That's the right shape for system-design conversations. This subtree is organised by AWS service, because that's the shape you need when you're actually building or debugging on AWS: someone tells you "the Lambda is timing out behind API Gateway with a 502," and the move is to know exactly which knob to turn before you start grepping logs.
Each page covers the same five-or-six things: the model the service implements, the parts you'll actually configure, how it bills, what breaks at scale, what to use it for and what not to, and a small CLI lab you can run to feel it work. Reading sequence is recommended but not strict — most pages cross-link to the others where it matters.
The map
Foundations.
The account model, regions, AZs, and the service-name decoder ring. Read these before anything else if AWS is new — the rest assumes you can find your way around the console.
Compute, network, edge.
Everything that moves bytes — instances, disks, networks, load balancers, DNS, CDN. The shared infrastructure every higher-level service eventually rides on.
- 03
EC2, EBS & AMIs
Instance families, Nitro, EBS volume types & internals, AMIs, placement groups, snapshots.
Read - 04
VPC deep dive
Subnets, route tables, NAT, IGW, VPC endpoints, PrivateLink, Transit Gateway, peering.
Read - 05
Load balancing
ALB vs NLB vs Gateway LB, target groups, listeners, sticky sessions, WAF integration.
Read - 06
Route 53
Routing policies (latency / weighted / failover / geo / multivalue), health checks, private zones.
Read - 07
S3 internals
Request semantics, strong consistency, prefix sharding, lifecycle, Glacier classes, replication.
Read - 08
CloudFront
Behaviors, origin groups, Lambda@Edge vs CloudFront Functions, signed URLs, OAC.
Read
Data, compute, events.
The services your application code actually talks to — databases, functions, queues, workflows, containers. Where the design decisions get interesting.
- 09
DynamoDB internals
Partitioning, hot keys, GSI / LSI, streams, transactions, on-demand vs provisioned.
Read - 10
Aurora & RDS
Aurora storage layer, MySQL / Postgres engines, RDS Proxy, Aurora Serverless v2, blue/green.
Read - 11
Lambda execution
Cold starts, layers, SnapStart, concurrency, provisioned concurrency, VPC-attach cost.
Read - 12
API Gateway
REST vs HTTP API, routing, throttling, authorizers, custom domains, Lambda integrations.
Read - 13
Messaging
SQS (Standard vs FIFO), SNS fan-out, EventBridge buses + schedules + schemas, DLQ patterns.
Read - 14
Step Functions
State machine model, Standard vs Express, error handling, distributed transactions.
Read - 15
Containers
ECS task definitions, Fargate vs EC2 launch type, EKS architecture, IRSA, capacity providers.
Read - 16
KMS & secrets
Envelope encryption, key types, Secrets Manager vs SSM Parameter Store, rotation.
Read
How the labs work
Every page closes with a section called "Build it yourself" — an ordered list of CLI commands that creates the resource, exercises it, observes it, and tears it down. The point is that you will not understand the service from reading; you understand it from watching the first aws s3api put-object succeed and then doing it 999 more times and seeing how the latency distribution behaves.
- Use a dedicated account. Create a fresh AWS account just for these labs. Set a budget alarm at $25 so you find out fast if you forget to tear something down.
- CLI first. Every lab is written for the AWS CLI. Console is friendlier when you're learning a new service for the first time; the CLI is what you'll automate.
- Tear down at the end. Every lab finishes with the delete commands. Run them. Most AWS services charge until you explicitly stop them — EBS volumes and Elastic IPs are the usual surprise on the bill.
- Region affects price. us-east-1 is cheapest and has every service the day it launches. eu-west-2 / ap-south-1 are more expensive. Pick one region and stay in it for the whole sequence.
brew install awscli on macOS, or the official Linux installer), run aws configure with an access key from a fresh IAM user (or better, an Identity Center user with aws sso login), and verify with aws sts get-caller-identity. From here every page assumes those four things are true.Adjacent reading
- Cloud Codex (topic shape). Same material organised by problem — compute, storage, networking, identity, databases, multi-region, observability, cost. Read this first if you don't already know what services to look up.
- Scale to millions on AWS. The system-design walkthrough that ties most of the services in this codex together into a single growing architecture.
- Kubernetes Codex. For the EKS side of containers — the page here covers the AWS-side configuration; that codex covers what's running inside.
- Networking Codex. The protocol-layer companion to VPC, ALB, and Route 53.
- Distributed Systems Codex. The consistency, replication, and failure-detection background most of the managed services here assume you understand.