Introduction to AWS Cloud + Account Setup + MFA + IAM User Creation

📌 Topic Overview

🧠 What is Cloud Computing?

Simple Explanation

Imagine you need a powerful computer to run your application. Normally, you'd have to buy that computer, set it up in your office, manage it, and pay electricity bills. With cloud computing, you just rent that computer over the internet — use it when you need it, pay only for what you use, and give it back when done.

AWS (Amazon Web Services) is the world's largest cloud platform that provides this "rental" service for servers, storage, databases, networking, and hundreds of other services.

Key Characteristics of Cloud Computing

🏢 On-Premise DC vs Cloud DC

What is On-Premise?

Your company owns and manages its own physical data center — servers, cooling, power, security, everything.

What is Cloud DC?

AWS owns massive data centers worldwide and you rent resources from them over the internet.

Comparison Table

💡 DevOps Angle: In a DevOps role, you'll often manage cloud infrastructure. Understanding this comparison helps you justify cloud migration decisions to management.

🖥️ Cloud Hardware & Server Components

What's Inside AWS Data Centers?

AWS physically owns and manages:

• Physical Servers — Powerful computers that run your workloads
• Storage Arrays — Massive hard drives for your data (think S3, EBS)
• Networking Equipment — Routers, switches, cables connecting everything

How Virtualization Works

AWS uses virtualization — one physical server is divided into many virtual machines (VMs). This is how you get:

One Physical Server (AWS hardware)
    ├── EC2 Instance 1 → Your App Server
    ├── EC2 Instance 2 → Your Database Server
    ├── EC2 Instance 3 → Someone else's workload
    └── EC2 Instance 4 → Another customer's app

AWS Compute Options Built on This

📦 Cloud Service Models

Think of it like renting an apartment vs buying a house vs staying in a hotel.

IaaS — Infrastructure as a Service

You manage: OS, Runtime, App, Data
Provider manages: Physical hardware, networking, virtualization

AWS Example: EC2 (you get a VM, you install everything else)

Analogy: Renting an empty flat — you furnish it yourself.

DevOps Use Case: Spin up EC2 instances, configure them with Ansible/Terraform.

PaaS — Platform as a Service

You manage: App code and Data
Provider manages: Hardware + OS + Runtime + Middleware

AWS Example: AWS Elastic Beanstalk, AWS RDS

Analogy: Renting a furnished flat — just bring your clothes.

DevOps Use Case: Deploy a Django app on Elastic Beanstalk without managing the server OS.

SaaS — Software as a Service

You manage: Just using the app
Provider manages: Everything

AWS Example: Amazon WorkMail, Chime

Other Examples: Gmail, Zoom, Slack

Analogy: Staying in a 5-star hotel — everything is taken care of.

DevOps Use Case: Use SaaS tools like PagerDuty, Datadog for monitoring — no server management needed.

Service Model Summary

IaaS → Most Control, Most Responsibility (you)
PaaS → Balanced
SaaS → Least Control, Least Responsibility (provider handles all)

🌐 Cloud Deployment Models

1. Public Cloud (Full Cloud)

Everything runs on AWS. No on-premise hardware.

Example: A startup builds its entire product on AWS from day one.

Best for: New applications, startups, web apps.

2. Hybrid Cloud

Mix of cloud + on-premise. Most common in large enterprises.

Example: A bank keeps customer data on-premise (due to regulations) but runs its web portal on AWS.

DevOps Use Case: AWS Direct Connect or VPN to link your office network with AWS VPC.

3. On-Premises / Private Cloud

Resources deployed in your own data center using virtualization (like VMware). Also called private cloud.

Example: Government agencies or hospitals that cannot put data outside their premises.

💡 Interview Tip: Most enterprise companies use Hybrid cloud. When asked "what deployment model does your company use?" — hybrid is the most common real-world answer.

✅ Benefits of AWS

🌍 AWS Global Infrastructure

The Three Levels of AWS Geography

AWS Global Infrastructure
│
├── Region (e.g., ap-south-1 = Mumbai)
│ A geographic area with multiple data centers
│ Currently 30+ Regions worldwide
│
├── Availability Zone / AZ (e.g., ap-south-1a, ap-south-1b)
│ One or more physical data centers within a Region
│ Each Region has minimum 2 AZs (usually 3)
│ AZs are isolated but connected with low-latency links
│
└── Edge Location
CDN cache points for CloudFront (content delivery)
200+ edge locations worldwide

Why This Matters for DevOps

High Availability:** Deploy your app across 2+ AZs — if one fails, the other keeps running
Disaster Recovery:** Use a second Region as backup
Low Latency:** Choose Region closest to your users (for India → Mumbai `ap-south-1`)
Data Residency:** Some data must stay in a specific country — choose that Region

> 🇮🇳 India: AWS Mumbai Region (`ap-south-1`) is the go-to for Indian companies due to data residency compliance and low latency.

---

🎓 AWS Certification Roadmap

FOUNDATIONAL (Start Here)
└── AWS Certified Cloud Practitioner (CLF-C02)
      ↓
ASSOCIATE LEVEL (Pick your path)
├── Solutions Architect Associate (SAA-C03)  ← Most Popular
├── Developer Associate (DVA-C02)
└── SysOps Administrator Associate (SOA-C02)
      ↓
PROFESSIONAL LEVEL
├── Solutions Architect Professional
└── DevOps Engineer Professional  ← Your Target!
      ↓
SPECIALTY
├── Security
├── Networking
├── Data Analytics
├── Machine Learning
└── Database

Recommended Path for DevOps/Cloud/SRE

Cloud Practitioner → SAA → DevOps Engineer Professional

🔐 AWS Account Setup (Free Tier)

What is Free Tier?

AWS gives you **12 months free** access to many services when you sign up. Great for learning!

Free Tier Highlights:

1. EC2: 750 hours/month (`t2.micro` or `t3.micro`)
2. S3: 5 GB storage
3. Lambda: 1 million requests/month
4. RDS: 750 hours/month

Step-by-Step Account Creation

Step 1: Go to `https://aws.amazon.com` → Click **"Create an AWS Account"**
Step 2: Enter your email address + choose a unique account name
Step 3: Create a strong password (this is your Root user password — keep it safe!)
Step 4: Enter contact information (personal or business)
Step 5: Add a valid credit/debit card (AWS does a $1 verification charge — it's reversed)
Step 6: Phone OTP verification
Step 7: Select Free tier support plan

> ⚠️ Warning: After creating the account, your very first action should be enabling MFA on the Root account.

🔒 What is MFA and Why It Matters

MFA = Multi-Factor Authentication

Normal login = Password only (1 factor)

MFA login = Password + OTP from your phone (2 factors)

Even if someone steals your password, they cannot log in without your phone.

Root Account — The Most Dangerous Account

The Root user is the master account — it has unrestricted access to everything in your AWS account. If this gets compromised, an attacker can:

• Delete all your resources
• Rack up massive bills
• Steal all your data

That's why: Enable MFA on Root account IMMEDIATELY.

Steps to Enable MFA on Root Account

1. Sign in to AWS Console as Root user
2. Click your account name (top-right corner)
3. Go to → Security Credentials
4. Scroll to "Multi-factor authentication (MFA)"
5. Click "Assign MFA device"
6. Enter a device name (e.g., MyPhone)
7. Select "Authenticator app" → Click Next
8. Install Google Authenticator / Authy on your phone
9. Scan the QR code shown on screen
10. Enter TWO consecutive 6-digit OTP codes from the app
11. Click "Add MFA" → Done!

Recommended Apps: Google Authenticator | Authy | Microsoft Authenticator

👤 IAM — Identity and Access Management

What is IAM?

IAM is AWS's access control system. It answers the question:

"Who can do what on which AWS resource?"

IAM Key Concepts

Why NOT Use Root for Daily Work?

The Root account is like a nuclear launch button — powerful but dangerous.

Best practice:

✅ Create an IAM User with Admin access for daily work

✅ Lock the Root account away

✅ Never share Root credentials with anyone

Step-by-Step: Create IAM User

1. Go to Services → Search "IAM" → Open IAM Console
2. Left panel → Click "Users" → Click "Add users"
3. Enter username (e.g., tejas-admin)
4. Check "Provide user access to AWS Management Console"
5. Set a custom password (uncheck force reset if learning)
6. Attach Permission Policy:
   - AdministratorAccess → Full control (for learning)
   - PowerUserAccess → All services except IAM
   - ReadOnlyAccess → View only, no changes
7. Review → Click "Create user"
8. IMPORTANT: Download the CSV file with credentials
9. Test login using the IAM sign-in URL:
   https://[your-account-id].signin.aws.amazon.com/console
10. Also enable MFA on the IAM user

IAM Permission Policies

Principle of Least Privilege

Give users only the permissions they need — nothing more.

A developer doesn't need billing access. A tester doesn't need to delete EC2 instances. Always assign minimum required permissions.

🔁 IAM Sign-in Flow

Root User Login:
   Email + Password + MFA OTP → Full unrestricted access

IAM User Login:
   Account ID (or alias) + Username + Password + MFA OTP → Limited access (based on policy)

IAM Sign-in URL:
   https://[12-digit-account-id].signin.aws.amazon.com/console

🚨 COMMON MISTAKES (Avoid These!)

💼 INTERVIEW QUESTIONS

Easy (Freshers)

Q1: What is cloud computing?

A: Cloud computing is the delivery of IT services (compute, storage, networking) over the internet on a pay-as-you-go basis, eliminating the need to own physical hardware.

Q2: What is the difference between IaaS, PaaS, and SaaS?

A: IaaS gives you raw infrastructure (like EC2), PaaS gives you a platform to deploy code (like Elastic Beanstalk), and SaaS gives you a ready-to-use software product (like Gmail). As you move from IaaS → PaaS → SaaS, you manage less but also control less.

Q3: What is an AWS Region and Availability Zone?

A: A Region is a geographic location (e.g., Mumbai) that contains multiple isolated data centers called Availability Zones (AZs). Each AZ is independent but connected with high-speed links to enable high availability.

Q4: What is IAM in AWS?

A: IAM (Identity and Access Management) is AWS's service to control who can access AWS resources and what actions they can perform. It uses users, groups, roles, and policies.

Q5: Why should you not use the Root account for daily tasks?

A: The Root account has unrestricted access to everything. If compromised, an attacker gains complete control. IAM users with specific permissions should be used for daily operations following the principle of least privilege.

Intermediate

Q6: What is MFA and why is it important in AWS?

A: MFA (Multi-Factor Authentication) requires a second verification step (OTP from phone app) beyond just a password. It prevents unauthorized access even if credentials are stolen.

Q7: What is the difference between a Public, Hybrid, and Private cloud?

A: Public cloud (everything on AWS), Hybrid (mix of cloud + on-premise, most common in enterprises), Private cloud (resources in your own data center).

Q8: What is the Principle of Least Privilege?

A: Granting users only the minimum permissions needed to do their job — nothing more. Reduces the blast radius if an account is compromised.

DevOps-Focused

Q9: How would you secure an AWS account from day one?

A: Enable MFA on Root immediately, create an IAM user for daily use, apply AdministratorAccess only where needed, set up AWS CloudTrail for audit logging, enable billing alerts, and never store access keys in code repositories.

Q10: A new DevOps engineer joins your team. How do you give them AWS access?

A: Create an IAM user for them, add them to the DevOps IAM Group that has pre-configured policies (like PowerUserAccess), enable MFA on their account, and share only the IAM console URL — not the Root credentials.

🔬 Practice Questions

Easy

1. You want to use a server for 3 hours to run a data processing job and then shut it down. Which cloud characteristic makes this cost-effective?

2. What does "Availability Zone" mean in AWS context?

3. Name 3 services available in the AWS Free Tier.

Medium

1. Your company has sensitive financial data that cannot leave India due to compliance laws. Which AWS Region should you use, and what model (Public/Hybrid/Private) applies?

2. You gave your IAM user AdministratorAccess. Your manager says this violates security policy. What should you do instead?

3. Explain the difference between an IAM User and an IAM Role with a real-world example.

DevOps-Focused

1. You're setting up AWS for a new startup from scratch. List the first 5 things you would do to secure the account.

2. Your Terraform script accidentally uploaded AWS Access Keys to a public GitHub repo. What is your immediate action plan?

🎯 Key Takeaways

• Cloud computing allows you to rent infrastructure on-demand instead of buying physical hardware.
• AWS provides scalability, elasticity, global reach, and pay-as-you-go pricing.
• Most enterprises operate using a Hybrid Cloud model.
• AWS infrastructure is built around Regions, Availability Zones, and Edge Locations.
• For a DevOps career path, Cloud Practitioner → SAA → DevOps Engineer Professional is a common progression.
• The Root account should only be used for account-level administration.
• MFA should be enabled immediately after account creation.
• IAM controls who can access AWS resources and what actions they can perform.
• Follow the Principle of Least Privilege when assigning permissions.
• Never expose AWS Access Keys publicly and always enable security controls from day one.

💬 This article is part of my journey learning AWS, Cloud, and DevOps from scratch. If you're also starting out, feel free to connect and share your learning experience.