AWS console walkthrough
The pieces from this morning, hands-on. Networking & identity in the AWS console — a 30-minute walkthrough that anchors VPC + EC2 + IAM in muscle memory.
- 01
AWS Console tour
Region selector · services menu · billing alert. Set the stage — this is the surface students will see.
- 02
Create a VPC
10.0.0.0/16, two AZs, public + private subnets, NAT gateway. Whiteboard it as you click.
- 03
Create a security group
Allow HTTP/HTTPS in, all out. Talk through inbound vs outbound.
- 04
Launch an EC2 instance
Amazon Linux, t3.micro, in the public subnet. No SSH key — we use Session Manager.
- 05
Connect via SSM
No port 22 exposed, no key to lose. Show the audit trail this leaves in CloudTrail.
- 06
Create an IAM role
Attach ReadOnlyAccess to S3. Walk through how the role is assumed by the instance.
- 07
Verify
`aws s3 ls` works. `aws ec2 describe-instances` fails. Permissions match the policy.
- 08
Show CloudTrail
Find one of the API calls we just made. Talk through immutability and retention.
What would be different for production? Surface answers like:
- — Multi-AZ, no public subnet for DB
- — Infrastructure-as-code (Terraform / CDK / Pulumi) instead of console clicks
- — MFA enforced on every IAM user
- — Centralized log destination, not per-account CloudTrail
- — Tag-based cost attribution
After this demo you should be able to:
- — Recognize a VPC diagram and read its security groups
- — Explain what an IAM role is and why it beats long-lived keys
- — Find the audit log in any AWS account
- — Justify (or push back on) "let's just put it in the public subnet"