# AWS Projects List A comprehensive list of AWS projects organized by domain, roughly ordered by complexity within each category. --- ## Where to Start Billing alarm → S3 backup bucket with IAM role → VPC from scratch in Terraform. Those three in sequence will teach you the three most foundational AWS concepts (cost awareness, IAM, networking) in a hands-on way before you touch anything else. --- ## Networking & VPC - Build a VPC from scratch with Terraform — subnets, route tables, internet gateway, security groups, no console clicking - Multi-tier VPC: public subnet (bastion/NAT), private subnet (app), isolated subnet (DB) - VPC Peering between two VPCs in the same account - Transit Gateway connecting multiple VPCs - Site-to-site VPN between your Proxmox homelab and AWS - AWS Client VPN for remote access (replace or complement Tailscale) - VPC Flow Logs into CloudWatch or S3 for network analysis - PrivateLink to expose a service privately across VPCs - IPv6 dual-stack VPC setup --- ## IAM & Security - Billing alarm via CloudWatch on day one — do this first, always - Multi-account setup with AWS Organizations and SCPs (Service Control Policies) - IAM Identity Center (SSO) across your accounts - Least-privilege IAM roles for every service — no root, no wildcard policies - AWS Config rules to detect drift from your security baseline - CloudTrail across all accounts logging to a central S3 bucket - GuardDuty for threat detection - AWS Secrets Manager for rotating credentials (replace any hardcoded secrets) - KMS customer-managed keys for encrypting S3, EBS, RDS - Security Hub aggregating findings across services --- ## Storage & Backup - S3 bucket for rclone backups from your Proxmox homelab with proper IAM roles - S3 lifecycle policies — transition to Glacier Instant Retrieval after 30 days, Glacier Deep Archive after 90 - S3 versioning and Object Lock for immutable backups - S3 replication across regions for disaster recovery - AWS Backup for centralized backup policy across EC2, RDS, EFS - EFS (Elastic File System) shared across multiple EC2 instances - DataSync to migrate data from your TrueNAS to S3 - S3 Intelligent-Tiering for your Immich photo archive offload --- ## Compute - EC2 instance Terraform-managed, no manual console setup - Auto Scaling Group with launch templates and scaling policies - Spot Instances for interruptible workloads to cut costs - EC2 Image Builder to create custom AMIs (like your NixOS or Fedora configs) - Systems Manager Session Manager instead of SSH (no open port 22) - Run your Ghost blog on EC2 behind an ALB - Run your open.mp GTA:SA server on EC2 - Graviton (ARM) instances — cheaper, good for your Linux workloads --- ## Containers & Orchestration - Dockerize one of your existing services (Ghost, Navidrome, anything) - ECR (Elastic Container Registry) to host your Docker images - ECS Fargate — run containers without managing servers - ECS with EC2 launch type — more control, cheaper at scale - EKS (Kubernetes) cluster — the full platform engineering path - Helm chart deployment onto EKS - Migrate your Nginx reverse proxy pattern to an ALB + ECS setup - Service mesh with AWS App Mesh on EKS --- ## Serverless - Lambda function in Python or Node.js — start with something trivial - API Gateway + Lambda REST API - Serverless contact/order form for Nairi Café — API Gateway + Lambda + SES - Stripe webhook handler in Lambda for Nairi Café payments - Lambda@Edge for CloudFront request manipulation - EventBridge scheduled rules to trigger Lambda (replace cron jobs) - Step Functions for multi-step workflow orchestration - SQS queue between services for decoupling - SNS topic for fan-out notifications - DynamoDB + Lambda for a simple serverless backend --- ## Databases - RDS PostgreSQL in a private subnet, accessed via bastion - RDS Multi-AZ for high availability - RDS Read Replica for read scaling - Aurora Serverless v2 — scales to zero, good for Nairi Café - DynamoDB table with on-demand billing - DynamoDB Streams + Lambda for event-driven data processing - ElastiCache Redis in front of RDS for caching - Database Migration Service (DMS) to migrate an existing DB to RDS --- ## CDN & DNS - Route 53 hosted zone for one of your domains - Route 53 health checks and failover routing - CloudFront distribution in front of Nairi Café - CloudFront + S3 for a static site (could be a Ghost export) - CloudFront + ALB with custom cache behaviors - ACM (Certificate Manager) SSL cert for your CloudFront distribution - Route 53 latency-based routing between regions - WAF (Web Application Firewall) attached to CloudFront --- ## CI/CD & DevOps - GitHub Actions pipeline deploying to EC2 or ECS - CodePipeline + CodeBuild for a fully AWS-native CI/CD pipeline - CodeDeploy for blue/green deployments - Terraform Cloud or S3 remote state for your AWS Terraform (mirrors your Proxmox MinIO setup) - Terragrunt for DRY multi-account Terraform - AWS CDK in TypeScript as an alternative to Terraform - Atlantis on EC2 for GitOps-driven Terraform PRs --- ## Monitoring & Observability - CloudWatch dashboards mirroring your Grafana homelab setup - CloudWatch Logs for centralized log aggregation - CloudWatch Alarms + SNS email notifications (mirrors your Prometheus alerting) - AWS Managed Grafana pulling from CloudWatch - X-Ray distributed tracing on a Lambda or ECS workload - Container Insights for ECS/EKS metrics - AWS Distro for OpenTelemetry (ADOT) — bridge to your existing Prometheus stack --- ## AI & ML Infrastructure - SageMaker endpoint serving a pre-trained model - Bedrock API call from Lambda — easiest AI integration on AWS - S3 + Textract to extract text from scanned documents - Rekognition for image analysis (interesting given your photography) - Translate API — Armenian language translation pipeline, relevant to your wiki - Comprehend for NLP on your blog content - OpenSearch (managed Elasticsearch) for full-text search on your Ghost blog --- ## Real Projects Tied to Things You Already Run - Full AWS mirror of your homelab architecture — VPC, EC2s, ALB, Route 53 — Terraform-managed - Disaster recovery target for yeghiasargis.com on AWS - Nairi Café fully migrated to AWS — Aurora Serverless + ECS Fargate + CloudFront - Immich photo offload to S3 with lifecycle policies to Glacier - Armenian tech wiki search layer using OpenSearch - Multi-region Ghost deployment with RDS Aurora Global and CloudFront - Self-hosted Nextcloud backup to S3 (complement your existing VM 108) - AWS landing zone for a simulated startup — full multi-account, Organizations, SSO, CloudTrail, GuardDuty