AWS Operations Guide

A step-by-step reference for working with core AWS services: EC2, S3 IAM, Security Groups, and CloudWatch.

Getting Into AWS

Logging In (AWS Academy)

1. Go to https://awsacademy.instructure.com/login/canvas
2. Log in with your student email (lastnamef@students.westerntc.edu)
3. From the Dashboard, select AWS Academy Learner Lab
4. In the left menu, select Modules
5. Click Launch AWS Academy Learner Lab
6. Click Start Lab at the top — wait for the circle next to "AWS" to turn green
7. Click AWS on the left to open the AWS Management Console
8. When done, click End Lab to stop the environment and avoid unnecessary charges

Note: Every time you return, you must restart the lab from step 6. The environment does not persist between sessions.

Getting Your AWS Credentials (for CLI/GitHub Actions)

1. Start the lab as above
2. Click AWS Details (next to "End Lab")
3. Click Show next to AWS CLI
4. Note the three values — you will need these for GitHub Secrets or any CLI configuration:
   • AWS_ACCESS_KEY_ID
   • AWS_SECRET_ACCESS_KEY
   • AWS_SESSION_TOKEN

These credentials expire when the lab session ends. You must retrieve new ones each session.

EC2 — Elastic Compute Cloud

EC2 provides virtual servers (called instances) in the cloud. You use them to run operating systems, host web applications, and run services.

Launching an EC2 Instance

1. In the AWS Console, go to Services → Compute → EC2
2. Click the orange Launch Instance button
3. Configure the following settings:

4. Click Launch Instance

An instance at t2.micro qualifies for the AWS free tier. t3.medium is required for running a database (MySQL) alongside other services.

Creating a Key Pair

This key pair is what allows you to SSH into your instance. Treat it like a password — if you lose it, you cannot access the instance.

1. In the key pair step during launch, click Create new key pair
2. Name it (e.g., Western-Student)
3. Key pair type: RSA
4. Private key format: .ppk for PuTTY on Windows; .pem for Mac/Linux terminal
5. Click Create key pair — the file downloads automatically
6. Save the file somewhere safe and back it up

Finding Your Instance's Public Address

1. Go to EC2 → Instances
2. Click on your instance ID
3. Copy the Public IPv4 DNS — it looks like ec2-XX-XX-XX-XX.compute-1.amazonaws.com

This address changes every time the instance is stopped and restarted.

Connecting to Your Instance via Browser Console

1. In EC2, select your instance
2. Click Connect at the top
3. On the Connect page, click Connect at the bottom
4. A Linux terminal opens in your browser

Starting, Stopping, and Changing Instance Type

1. Select your instance in the EC2 dashboard
2. Click Instance state at the top
3. To stop: select Stop instance → Stop
4. Once stopped, click Actions → Instance settings → Change instance type
5. Type the new instance type (e.g., t3.medium) and click Change
6. Click Instance state → Start instance

Installing and Running a Web Server (Apache) on EC2

sudo yum install httpd          # Install Apache (use yum on Amazon Linux)
sudo systemctl start httpd      # Start the service

Navigate to the instance's public IP in a browser using HTTP (not HTTPS) to see the Apache default page. Make sure port 80 is open in the security group.

Installing Updates on Your Instance

sudo dnf -y update

Run this immediately after connecting to a new instance to apply all security and software updates.

Security Groups

Security groups act as virtual firewalls, controlling what traffic can reach your EC2 instances. Rules are additive — there is no explicit deny; anything not listed is blocked by default.

Opening the Security Group Editor

1. Go to EC2 Dashboard
2. In the Resources section at the top, click Security groups
3. Click the security group ID associated with your instance (usually launch-wizard-1)

Adding Inbound Rules

1. Under Inbound rules, click Edit inbound rules
2. Click Add rule
3. Select the Type (e.g., SSH, HTTP, All traffic, All ICMP – IPv4)
4. Select the Source (e.g., Anywhere-IPv4, My IP, Custom)
5. Click Save rules

Common rule configurations:

Opening "All traffic from Anywhere" is acceptable in a lab environment but should never be used in production. Tighten rules to only the ports you actually serve.

Restricting Access by IP

1. Edit inbound rules for SSH
2. Change Source from Anywhere-IPv4 to My IP
3. AWS auto-fills your current public IP

This limits SSH access to only your current IP address. If your IP changes (e.g., switching networks), you will need to update this rule.

S3 — Simple Storage Service

S3 stores files (called objects) in containers called buckets. It is commonly used for backups, static website hosting, and serving images or assets to web applications.

Creating an S3 Bucket

1. Go to Services → Storage → S3 (or search "S3")
2. Click Create bucket
3. Enter a globally unique bucket name (e.g., my-cicd-bucket-yourusername)
4. Under Block Public Access Settings, uncheck Block all public access if you need public access
5. Check the acknowledgment box that appears
6. Scroll down and click Create bucket

Bucket names must be globally unique across all of AWS. Include your username to ensure uniqueness.

Setting a Bucket Policy for Public Read Access

1. Click on your bucket name
2. Select the Permissions tab
3. Scroll to Bucket policy and click Edit
4. Paste the following, replacing YOUR_BUCKET_NAME:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicReadGetObject",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
    }
  ]
}

5. Click Save changes

This allows anyone on the internet to read files from your bucket. Required for static website hosting and serving images to your documentation.

Uploading Files

1. Click on your bucket name
2. Select the Objects tab
3. Click Upload → Add files
4. Select the files from your local machine
5. Scroll down and click Upload
6. Click Close

Getting a File's Public URL

1. Click on the uploaded file under Objects
2. Click Copy URL
3. Test in a private/incognito browser window to confirm public access

The URL format is: https://bucket-name.s3.region.amazonaws.com/filename

Referencing an S3 Image in Markdown

![Alt text description](https://your-bucket-name.s3.us-east-1.amazonaws.com/image.png)

Enabling Static Website Hosting

1. Click your bucket name → Properties tab
2. Scroll to Static website hosting → click Edit
3. Select Enable
4. Set Index document to index.html
5. Click Save changes
6. Scroll back down to copy the Bucket website endpoint URL

The website endpoint URL (http) is different from the object URL (https). Use the website endpoint when linking to the site as a whole.

Enabling Bucket Versioning

1. Click your bucket name → Properties tab
2. Click Edit next to Bucket Versioning
3. Select Enable
4. Click Save changes

Versioning saves every uploaded version of a file. You can restore previous versions from the object's Versions tab.

Configuring a Lifecycle Rule (Automatic Archiving)

1. Click your bucket name → Management tab
2. Click Create lifecycle rule
3. Name the rule and select the scope
4. Add a transition action: move to Glacier after 30 days
5. Optionally add an expiration action: delete after 90 days
6. Click Save

IAM — Identity and Access Management

IAM controls who can access what in your AWS account. You create users, groups, roles, and attach policies to define permissions.

Creating an IAM User

1. Go to Services → Security → IAM (or search "IAM")
2. Click Users → Add User
3. Set a username
4. Select Console access
5. Set a custom password; uncheck "Users must create a new password at next sign-in"
6. Click Next
7. Under Set permissions, select Attach policies directly
8. Search for and select a policy (e.g., AmazonS3FullAccess)
9. Click Next → Create user

In the AWS Academy Learner Lab, user creation is blocked by the lab environment. The steps above reflect real-world usage.

Common Predefined Policies

CloudWatch — Monitoring and Alarms

CloudWatch collects performance metrics from your AWS resources and can trigger alarms when thresholds are exceeded.

Setting a CPU Utilization Alarm

1. Search for CloudWatch in the AWS console
2. In the left menu, click Alarms → All alarms
3. Click Create alarm
4. Click Select metric → EC2 → Per-Instance Metrics
5. Find your instance ID and select CPUUtilization
6. Click Select metric
7. Set the threshold: Greater than 70% over 1 evaluation period
8. Configure notifications if desired
9. Name the alarm and click Create alarm

Generating CPU Load to Test an Alarm

sudo amazon-linux-extras enable epel   # Enable extra package repositories
sudo yum install -y epel-release       # Install the EPEL repository
sudo yum install -y stress             # Install the stress testing tool
sudo stress --cpu 1 --timeout 120      # Run a 1-core CPU stress test for 120 seconds

After running this, navigate to CloudWatch and watch the alarm state change from OK to ALARM.

Billing Alerts (Real-World — Not Available in Learner Lab)

1. Go to Services → Cloud Financial Management → Billing and Cost Management
2. On the left menu, click Budgets
3. Click Create budget
4. Accept the defaults: Use a template → Zero spend budget
5. Enter your email under Email recipients
6. Click Create budget

This sends an email notification immediately when any billable charge occurs. Essential for avoiding unexpected costs.

GitHub Actions Secrets for AWS Deployment

After retrieving your credentials from AWS Details, add them to your GitHub repository:

1. In your GitHub repo, go to Settings → Secrets and variables → Actions
2. Click New repository secret for each of the following:

Secrets are encrypted and never visible after being saved. If you need to update a value, you must overwrite it by creating a new secret with the same name.