Welcome to the comprehensive collection of AWS hands-on labs. This master repository serves as a central index for advanced cloud architecture, security, and DevOps workflows simulated entirely on LocalStack Pro.
- AWS Identity and Access Management (IAM) Labs (LocalStack Pro)
- AWS Advanced VPC Architecture Labs (LocalStack Pro)
- AWS Elastic Compute Cloud (EC2) Labs (LocalStack Pro)
- AWS Simple Storage Service (S3) Labs (LocalStack Pro)
- AWS Relational Database Service (RDS) Labs (LocalStack Pro)
- AWS Lambda Serverless Labs (LocalStack Pro)
- AWS CloudWatch Monitoring Labs (LocalStack Pro)
- AWS Elastic Container Service (ECS) Labs (LocalStack Pro)
- AWS Elastic Kubernetes Service (EKS) Labs (LocalStack Pro)
- AWS API Gateway Serverless Labs (LocalStack Pro)
- AWS CI/CD Pipeline Labs (LocalStack Pro)
- AWS Infrastructure as Code (Terraform) Labs (LocalStack Pro)
This repository contains hands-on labs demonstrating advanced AWS Identity and Access Management (IAM) security concepts. Using LocalStack Pro, we simulate a localized AWS cloud environment to practice identity federation, policy evaluation logic, conditional access, and cross-account role assumption without risking real-world cloud environments.
Based on AWS security best practices (SAA-C03), these labs demonstrate:
- IAM Fundamentals: Creating Users, Groups, and attaching Identity-Based Managed Policies.
- Service Roles & Trust Policies: Instead of embedding access keys, we use IAM Roles (Trust Policies + Permissions Policies) to securely grant compute services (like Lambda or EC2) access to other AWS resources.
- Policy Evaluation Logic: Proving that an
Explicit Denyalways overrides anAllow. - Policy Conditions: Restricting the exact types of EC2 instances a user can provision using the
Conditionblock (e.g.,ec2:InstanceType). - Permissions Boundaries: Defining the absolute maximum permissions an IAM entity can have, mitigating the risk of privilege escalation.
- Cross-Account Access & STS: Generating temporary security credentials using
AssumeRolewhile preventing the "Confused Deputy" problem via theExternalIdcondition.
- Docker & Docker Compose
- LocalStack Pro account and Auth Token
awslocalCLI (a wrapper around the AWS CLI for LocalStack)
-
Clone this repository:
git clone https://github.com/awslabs/iam.git cd iam -
Configure your LocalStack Auth Token:
echo "YOUR_TOKEN=your_auth_token_here" > .env
-
Start LocalStack Pro:
docker-compose up -d
Important
Cumulative Architecture: These labs are designed as a cumulative, end-to-end scenario rather than isolated tasks. You are building one evolving architecture as you progress.
Session Persistence: You must run all commands sequentially within the same terminal session. The labs rely on bash variables (like $USER_NAME, $ROLE_ARN, etc.) created in earlier steps. If you close your terminal, these variables will be lost and subsequent labs will fail.
- Lab 1: IAM Fundamentals (Users, Groups, & Policies)
- Lab 2: Service Roles & Trust Policies
- Lab 3: Policy Evaluation Logic (Explicit Deny)
- Lab 4: Policy Conditions (Attribute-Based Access Control)
- Lab 5: Permissions Boundaries
- Lab 6: Cross-Account Access & STS AssumeRole
This repository contains a comprehensive set of hands-on labs demonstrating advanced Amazon Virtual Private Cloud (VPC) concepts. It bridges the gap between AWS theoretical knowledge (SAA-C03) and practical implementation using LocalStack Pro to simulate a complete AWS cloud environment locally.
Based on AWS documentation and best practices, these labs walk through the deployment of:
- Foundational Networking: Amazon VPC provides an isolated network environment. You have complete control over networking, including IP ranges, subnets, route tables, and gateways. A /24 subnet provides 256 total IP addresses, but AWS reserves 5 IP addresses, leaving 251 available.
- Routing & Internet Access: Internet Gateways provide access to the internet, while a NAT Gateway enables outbound internet access for private subnets. Instances in the private subnet remain private with no inbound access from the internet.
- Private Connectivity: VPC Endpoints provide private connectivity to AWS services like S3 and DynamoDB without traversing the internet.
- Layered Security: Security Groups are stateful, meaning if inbound is allowed, return traffic is automatically allowed. Network ACLs are stateless, support Deny rules, and evaluate traffic at the subnet level. Network ACLs do not support rate limiting.
- Multi-VPC Topologies: VPC Peering connects two VPCs privately but is not transitive. AWS Transit Gateway acts as a central hub for VPCs and is highly scalable.
- Shared Services: AWS PrivateLink provides private connectivity to services exposed via VPC Endpoint Services without requiring VPC peering or an Internet Gateway.
- Docker & Docker Compose
- LocalStack Pro account and Auth Token
awslocalCLI (a wrapper around the AWS CLI for LocalStack)
-
Clone this repository:
git clone https://github.com/awslabs/vpc.git cd vpc -
Configure your LocalStack Auth Token:
echo "YOUR_TOKEN=your_auth_token_here" > .env
-
Start LocalStack Pro:
docker-compose up -d
Important
Cumulative Architecture: These labs are designed as a cumulative, end-to-end scenario rather than isolated tasks. You are building one evolving architecture as you progress.
Session Persistence: You must run all commands sequentially within the same terminal session. The labs rely on bash variables (like $VPC_ID, $PRIV_RT, etc.) created in earlier steps. If you close your terminal, these variables will be lost and subsequent labs will fail.
- Lab 1: Foundational VPC & Subnet Isolation
- Lab 2: Internet & NAT Gateways
- Lab 3: Secure AWS Access via VPC Endpoints
- Lab 4: Defense in Depth (Security Groups vs. NACLs)
- Lab 5: 1-to-1 Multi-VPC Architecture (VPC Peering)
- Lab 6: Hub-and-Spoke Topology (AWS Transit Gateway)
- Lab 7: Unidirectional Service Sharing (AWS PrivateLink)
This repository contains hands-on labs demonstrating core Amazon EC2 concepts, from foundational networking and instance provisioning to high availability and automated scaling. Using LocalStack Pro, we simulate a complete AWS compute environment locally.
Based on AWS best practices (SAA-C03), these labs cover:
- Network Foundation: Provisioning custom VPCs, public/private subnets, and internet gateways.
- EC2 Provisioning: Launching On-Demand instances with optimized AMI selection.
- Security & Access: Implementing stateful Security Groups and instance-level bootstrapping via User Data.
- High Availability: Designing for fault tolerance using Multi-AZ deployments.
- Scaling & Load Balancing: Exploring Launch Templates, Auto Scaling Groups, and Elastic Load Balancers.
- Cost Optimization: Leveraging Spot Instances and Savings Plans logic.
- Docker & Docker Compose
- LocalStack Pro account and Auth Token
awslocalCLI (a wrapper around the AWS CLI for LocalStack)
-
Configure your LocalStack Auth Token in
.env:echo "YOUR_TOKEN=your_auth_token_here" > .env
-
Start LocalStack Pro:
docker-compose up -d
Important
Cumulative Architecture: These labs are designed as a cumulative scenario. You are building an evolving infrastructure.
Session Persistence: These labs rely on bash variables (like $VPC_ID, $SG_ID, $AMI_ID, etc.). Run all commands in the same terminal session to maintain context.
- Lab 1: Network Foundation & EC2 Provisioning
- Lab 2: Layer 7 Application Load Balancer (ALB)
- Lab 3: EC2 Auto Scaling (Launch Templates & ASG)
- Lab 4: Auto Scaling Policies (Target Tracking)
- Lab 5: Cost Optimization (Spot Instances)
This repository contains hands-on labs demonstrating core Amazon S3 concepts, from foundational storage and data protection to advanced security and lifecycle management. Using LocalStack Pro, we simulate a complete AWS storage environment locally.
Based on AWS best practices (SAA-C03), these labs cover:
- Data Protection: Implementing Versioning to protect against accidental deletes and overwrites.
- Security & Access Control: Securing access via Pre-signed URLs for third parties.
- Lifecycle Management: Automating data transitions and expiration.
- Event-Driven Architectures: Decoupling systems with S3 Event Notifications and SQS.
- Server-Side Encryption: Securing data at rest with SSE-S3 and SSE-KMS.
- Compliance: Enforcing WORM models with S3 Object Lock.
- Content Delivery: Global distribution with Amazon CloudFront.
- Disaster Recovery: Cross-Region Replication for mission-critical data.
- Docker & Docker Compose
- LocalStack Pro account and Auth Token
awslocalCLI (a wrapper around the AWS CLI for LocalStack)
-
Configure your LocalStack Auth Token in
.env:echo "YOUR_TOKEN=your_auth_token_here" > .env
-
Start LocalStack Pro:
docker-compose up -d
Important
Cumulative Architecture: These labs are designed as a cumulative scenario. You are building an evolving storage infrastructure.
- Lab 1: Foundational S3 & Data Protection (Versioning)
- Lab 2: Compliance & Security (SSE-KMS & Object Lock)
- Lab 3: Automated Cost Optimization (Lifecycle Policies)
- Lab 4: Event-Driven Architectures (S3 Event Notifications to SQS)
- Lab 5: Secure Third-Party Access (Pre-signed URLs)
- Lab 6: Content Delivery & Edge Caching (CloudFront Origin)
- Lab 7: Disaster Recovery (Cross-Region Replication)
This repository contains hands-on labs demonstrating core Amazon RDS concepts, from foundational networking and instance provisioning to high availability and data security. Using LocalStack Pro, we simulate a complete AWS database environment locally.
Based on AWS best practices (SAA-C03), these labs cover:
- Networking Foundation: Designing DB Subnet Groups for multi-AZ reliability.
- RDS Provisioning: Launching managed relational databases (PostgreSQL).
- High Availability: Implementing Multi-AZ deployments for failover.
- Serverless Databases: Deploying Amazon Aurora Serverless for unpredictable workloads.
- Connection Pooling: Implementing RDS Proxy for serverless scalability and resiliency.
- Security & Encryption: Securing data at rest with SSE-KMS and IAM Database Auth.
- Disaster Recovery: Managing snapshots and automated backups.
- Docker & Docker Compose
- LocalStack Pro account and Auth Token
awslocalCLI (a wrapper around the AWS CLI for LocalStack)
-
Configure your LocalStack Auth Token in
.env:echo "YOUR_TOKEN=your_auth_token_here" > .env
-
Start LocalStack Pro:
docker-compose up -d
Important
Cumulative Architecture: These labs are designed as a cumulative scenario. You are building an evolving database infrastructure.
Session Persistence: These labs rely on bash variables (like $VPC_ID, $SUBNET_A, etc.). Run all commands in the same terminal session to maintain context.
- Lab 1: Networking Foundation & Base RDS Deployment
- Lab 2: High Availability (Multi-AZ Conversion)
- Lab 3: Backup & Retention Policies
- Lab 4: Advanced Security (Encryption & IAM Auth)
- Lab 5: Serverless Workloads (Aurora Serverless)
- Lab 6: Serverless Connection Pooling (RDS Proxy)
This repository contains hands-on labs demonstrating core Amazon Lambda concepts, from foundational function provisioning to advanced event-driven architectures and triggers. Using LocalStack Pro, we simulate a complete AWS serverless environment locally.
Based on AWS best practices (SAA-C03), these labs cover:
- Function Provisioning: Deploying serverless compute with specific runtimes and execution roles.
- Synchronous Web Access: Exposing functions via built-in Lambda Function URLs.
- Asynchronous Polling: Decoupling systems with SQS Event Source Mappings.
- Safe Deployments: Implementing function Versions and Aliases for lifecycle management.
- Code Reusability: Leveraging Lambda Layers for shared libraries and logic.
- Scalability & Resiliency: Using Reserved Concurrency to guarantee compute availability.
- IAM Execution Roles: Implementing the principle of least privilege for Lambda functions.
- Docker & Docker Compose
- LocalStack Pro account and Auth Token
awslocalCLI (a wrapper around the AWS CLI for LocalStack)
-
Configure your LocalStack Auth Token in
.env:echo "YOUR_TOKEN=your_auth_token_here" > .env
-
Start LocalStack Pro:
docker-compose up -d
Important
Cumulative Architecture: These labs are designed as a cumulative scenario. You are building an evolving serverless infrastructure.
Session Persistence: These labs rely on bash variables (like $ROLE_ARN, $QUEUE_URL, $LAYER_ARN, $VERSION). Run all commands in the same terminal session to maintain context.
- Lab 1: Foundational Lambda Provisioning
- Lab 2: Synchronous Web Access (Function URLs)
- Lab 3: Asynchronous Polling (SQS Event Source Mapping)
- Lab 4: Code Reusability (Lambda Layers)
- Lab 5: Safe Deployments (Versions, Aliases & Concurrency)
This repository contains hands-on labs demonstrating core Amazon CloudWatch concepts, from log management and metric filtering to automated alarms and dashboards. Using LocalStack Pro, we simulate a complete AWS monitoring environment locally.
Based on AWS best practices (SAA-C03), these labs cover:
- Log Management: Creating log groups and streams to centralize application logs.
- Metric Filters: Automatically extracting numerical data from text logs for monitoring.
- CloudWatch Alarms: Setting thresholds to trigger notifications or automated actions via SNS.
- Custom Metrics: Publishing application-specific data points for monitoring.
- API Auditing: Implementing CloudTrail to track account activity for security and compliance.
- Continuous Compliance: Using AWS Config to automate resource evaluation and reporting.
- Secure Operations: Managing secrets and configuration with SSM Parameter Store.
- Docker & Docker Compose
- LocalStack Pro account and Auth Token
awslocalCLI (a wrapper around the AWS CLI for LocalStack)
-
Configure your LocalStack Auth Token in
.env:echo "YOUR_TOKEN=your_auth_token_here" > .env
-
Start LocalStack Pro:
docker-compose up -d
Important
Cumulative Architecture: These labs are designed as a cumulative scenario. You are building an evolving monitoring infrastructure.
- Lab 1: CloudWatch Logs & Metric Filters
- Lab 2: Automated Alerting (CloudWatch Alarms & SNS)
- Lab 3: API Auditing with AWS CloudTrail
- Lab 4: Continuous Compliance (AWS Config)
- Lab 5: Secure Operations (Systems Manager Parameter Store)
This repository contains hands-on labs demonstrating core Amazon ECS concepts, from foundational networking and image management to task definitions, services, and high availability. Using LocalStack Pro, we simulate a complete AWS container orchestration environment locally.
Based on AWS best practices (SAA-C03), these labs cover:
- Networking Foundation: Designing multi-AZ VPCs for container reliability.
- IAM Security: Implementing strict separation between Execution and Task roles.
- Cluster Management: Provisioning serverless ECS Fargate clusters.
- Task Definitions: Defining blueprints using the
awsvpcnetwork mode. - Batch & One-off Jobs: Running standalone Fargate tasks for migrations and processing.
- Image Management: Using Amazon ECR to securely store and version Docker images.
- Load Balancing: Distributing traffic to containers via ALB with IP-based targets.
- Service Orchestration: Deploying long-running ECS Services with self-healing and ALB integration.
- Service Auto Scaling: Implementing dynamic target-tracking scaling based on demand.
- Docker & Docker Compose
- LocalStack Pro account and Auth Token
awslocalCLI (a wrapper around the AWS CLI for LocalStack)
-
Configure your LocalStack Auth Token in
.env:echo "YOUR_TOKEN=your_auth_token_here" > .env
-
Start LocalStack Pro:
docker-compose up -d
Important
Cumulative Architecture: These labs are designed as a cumulative scenario. You are building an evolving containerized infrastructure.
Session Persistence: These labs rely on bash variables (like $VPC_ID, $TASK_SG, $TASK_DEF_ARN, $TG_ARN, etc.). Run all commands in the same terminal session to maintain context.
- Lab 1: Networking Foundation & ECR Registry
- Lab 2: IAM Role Separation (Execution vs. Task Roles)
- Lab 3: ECS Cluster & Task Definitions (awsvpc mode)
- Lab 4: Running Standalone Tasks (Fargate)
- Lab 5: Application Load Balancer Integration (IP Targets)
- Lab 6: ECS Long-Running Services
- Lab 7: Service Auto Scaling (Target Tracking)
This repository contains hands-on labs demonstrating core Amazon EKS concepts, from foundational cluster provisioning and networking to node group management, deployments, and security. Using LocalStack Pro, we simulate a complete AWS Kubernetes environment locally.
Based on AWS best practices (SAA-C03), these labs cover:
- Control Plane Management: Provisioning managed EKS clusters with IAM service roles.
- Networking Foundation: Designing multi-AZ VPCs required for Kubernetes reliability.
- Worker Nodes: Deploying and scaling EC2 Managed Node Groups.
- Serverless Kubernetes: Using Fargate Profiles to run pods without managing nodes.
- EKS Security: Implementing IRSA (IAM Roles for Service Accounts) and modern Access Entries.
- Cluster Add-ons: Managing operational software like VPC CNI natively via the EKS API.
- Cluster Connectivity: Configuring
kubectlto manage resources viaupdate-kubeconfig. - Kubernetes Orchestration: (Upcoming) Deploying applications using Helm and kubectl.
- Observability: (Upcoming) Monitoring clusters with CloudWatch container insights.
- Docker & Docker Compose
- LocalStack Pro account and Auth Token
awslocalCLI (a wrapper around the AWS CLI for LocalStack)kubectl(optional, for interacting with the cluster)
-
Configure your LocalStack Auth Token in
.env:echo "YOUR_TOKEN=your_auth_token_here" > .env
-
Start LocalStack Pro:
docker-compose up -d
Important
Cumulative Architecture: These labs are designed as a cumulative scenario. You are building an evolving Kubernetes infrastructure.
Session Persistence: These labs rely on bash variables (like $VPC_ID, $CLUSTER_ROLE_ARN, $OIDC_URL, etc.). Run all commands in the same terminal session to maintain context.
- Lab 1: Network Foundation & Control Plane
- Lab 2: Data Plane (Managed Node Groups)
- Lab 3: Serverless Data Plane (Fargate Profiles)
- Lab 4: Security Identity (OIDC & IRSA)
- Lab 5: Cluster Add-ons Management (VPC CNI)
- Lab 6: Modern Access Management (Access Entries)
- Lab 7: Connecting to the Cluster (kubeconfig)
This repository contains hands-on labs demonstrating core Amazon API Gateway concepts, from RESTful API design and Lambda integrations to asynchronous patterns, security, and deployment stages. Using LocalStack Pro, we simulate a complete AWS API management environment locally.
Based on AWS best practices (SAA-C03), these labs cover:
- Synchronous REST APIs: Connecting HTTP endpoints to Lambda functions via Proxy Integrations.
- Asynchronous Processing: Implementing the Storage-First pattern using direct SQS integrations.
- Fan-Out Webhooks: Integrating directly with SNS to broadcast messages to multiple subscribers.
- Event Routing: Directly ingesting webhooks onto an EventBridge Custom Bus.
- Request Validation: Enforcing parameter and schema validation at the edge to reduce backend load.
- Deployment Management: Managing immutable snapshots and Stages (dev/prod) for CI/CD.
- API Security: Implementing API Keys and Usage Plans for throttling and monetization.
- Docker & Docker Compose
- LocalStack Pro account and Auth Token
awslocalCLI (a wrapper around the AWS CLI for LocalStack)
-
Configure your LocalStack Auth Token in
.env:echo "YOUR_TOKEN=your_auth_token_here" > .env
-
Start LocalStack Pro:
docker-compose up -d
Important
Cumulative Architecture: These labs are designed as a cumulative scenario. You are building an evolving API infrastructure.
Session Persistence: These labs rely on bash variables (like $API_ID, $LAMBDA_ARN, $VALIDATOR_ID, $PLAN_ID, etc.). Run all commands in the same terminal session to maintain context.
- Lab 1: Foundational API & Synchronous Lambda
- Lab 2: Storage-First Pattern (Direct SQS Integration)
- Lab 3: Fan-Out Webhooks (Direct SNS Integration)
- Lab 4: Event Routing (Direct EventBridge Integration)
- Lab 5: Payload Edge Validation
- Lab 6: API Deployments & Stages
- Lab 7: Monetization & Security (API Keys & Throttling)
This repository contains hands-on labs demonstrating core AWS DevOps concepts, from source control and automated builds to continuous deployment and orchestration. Using LocalStack Pro, we simulate a complete AWS CI/CD environment locally.
Based on AWS best practices (SAA-C03), these labs cover:
- Source Control: Managing private Git repositories with Amazon CodeCommit.
- Pipeline Infrastructure: Provisioning S3 artifact storage and IAM service roles.
- Continuous Integration: Automating builds and tests with AWS CodeBuild.
- Deployment Targets: Provisioning and tagging EC2 instances for automated deployments.
- Continuous Deployment: Automating application updates with AWS CodeDeploy.
- Pipeline Orchestration: Linking stages together with AWS CodePipeline for full automation.
- Monitoring & Execution: Triggering and tracking real-time pipeline status.
- Infrastructure as Code: (Upcoming) Automating resource provisioning within the pipeline.
- Docker & Docker Compose
- LocalStack Pro account and Auth Token
awslocalCLI (a wrapper around the AWS CLI for LocalStack)
-
Configure your LocalStack Auth Token in
.env:echo "YOUR_TOKEN=your_auth_token_here" > .env
-
Start LocalStack Pro:
docker-compose up -d
Important
Cumulative Architecture: These labs are designed as a cumulative scenario. You are building an evolving CI/CD infrastructure.
Session Persistence: These labs rely on bash variables (like $BUILD_ROLE, $PIPELINE_ROLE, $DEPLOY_ROLE, etc.). Run all commands in the same terminal session to maintain context.
- Lab 1: Source Control (AWS CodeCommit)
- Lab 2: Artifact Storage & IAM Foundations
- Lab 3: Continuous Integration (AWS CodeBuild)
- Lab 4: Provisioning Deployment Targets (EC2)
- Lab 5: Continuous Deployment (AWS CodeDeploy)
- Lab 6: Pipeline Orchestration (AWS CodePipeline)
- Lab 7: Pipeline Execution & Monitoring
This repository contains hands-on labs demonstrating core Infrastructure as Code (IaC) concepts using HashiCorp Terraform. Using LocalStack Pro and the tflocal wrapper, we simulate a complete AWS environment to practice declarative resource provisioning, state management, and modular design.
Based on AWS best practices (SAA-C03), these labs cover:
- Declarative Provisioning: Defining infrastructure as code to ensure consistency and repeatability.
- Dynamic Lookups: Using Data Sources to fetch AMIs and other external information.
- Variables & Outputs: Making configurations dynamic, reusable, and extractable.
- Security as Code: Managing IAM roles and policies via version-controlled HCL.
- Compute Management: Provisioning and modifying EC2 instances via code.
- Advanced Networking: Deploying Application Load Balancers and Target Groups.
- Modular Design: Organizing resources into reusable, standardized modules.
- Networking Foundation: Designing VPCs and Subnets via code.
- State Management: Implementing remote state storage and locking via S3 and DynamoDB.
- Docker & Docker Compose
- LocalStack Pro account and Auth Token
- Terraform installed locally
tflocalCLI (a wrapper around Terraform for LocalStack)
-
Configure your LocalStack Auth Token in
.env:echo "YOUR_TOKEN=your_auth_token_here" > .env
-
Start LocalStack Pro:
docker-compose up -d
Important
Cumulative Architecture: These labs are designed as a cumulative scenario. You are building an evolving infrastructure stack.
- Lab 1: Provider Setup & Foundational Networking
- Lab 2: Dynamic Data Sources & Compute
- Lab 3: Variables, Tfvars, and Outputs
- Lab 4: IAM & Security as Code
- Lab 5: Advanced Networking (Load Balancers)
- Lab 6: Modularity & Advanced State Routing (Native Terraform)
- Lab 7: Remote State Architecture