168 lines
6.5 KiB
Markdown
168 lines
6.5 KiB
Markdown
# AWS Projects List
|
|
|
|
A comprehensive list of AWS projects organized by domain, roughly ordered by complexity within each category.
|
|
|
|
---
|
|
|
|
## Where to Start
|
|
|
|
Billing alarm → S3 backup bucket with IAM role → VPC from scratch in Terraform. Those three in sequence will teach you the three most foundational AWS concepts (cost awareness, IAM, networking) in a hands-on way before you touch anything else.
|
|
|
|
---
|
|
|
|
## Networking & VPC
|
|
|
|
- Build a VPC from scratch with Terraform — subnets, route tables, internet gateway, security groups, no console clicking
|
|
- Multi-tier VPC: public subnet (bastion/NAT), private subnet (app), isolated subnet (DB)
|
|
- VPC Peering between two VPCs in the same account
|
|
- Transit Gateway connecting multiple VPCs
|
|
- Site-to-site VPN between your Proxmox homelab and AWS
|
|
- AWS Client VPN for remote access (replace or complement Tailscale)
|
|
- VPC Flow Logs into CloudWatch or S3 for network analysis
|
|
- PrivateLink to expose a service privately across VPCs
|
|
- IPv6 dual-stack VPC setup
|
|
|
|
---
|
|
|
|
## IAM & Security
|
|
|
|
- Billing alarm via CloudWatch on day one — do this first, always
|
|
- Multi-account setup with AWS Organizations and SCPs (Service Control Policies)
|
|
- IAM Identity Center (SSO) across your accounts
|
|
- Least-privilege IAM roles for every service — no root, no wildcard policies
|
|
- AWS Config rules to detect drift from your security baseline
|
|
- CloudTrail across all accounts logging to a central S3 bucket
|
|
- GuardDuty for threat detection
|
|
- AWS Secrets Manager for rotating credentials (replace any hardcoded secrets)
|
|
- KMS customer-managed keys for encrypting S3, EBS, RDS
|
|
- Security Hub aggregating findings across services
|
|
|
|
---
|
|
|
|
## Storage & Backup
|
|
|
|
- S3 bucket for rclone backups from your Proxmox homelab with proper IAM roles
|
|
- S3 lifecycle policies — transition to Glacier Instant Retrieval after 30 days, Glacier Deep Archive after 90
|
|
- S3 versioning and Object Lock for immutable backups
|
|
- S3 replication across regions for disaster recovery
|
|
- AWS Backup for centralized backup policy across EC2, RDS, EFS
|
|
- EFS (Elastic File System) shared across multiple EC2 instances
|
|
- DataSync to migrate data from your TrueNAS to S3
|
|
- S3 Intelligent-Tiering for your Immich photo archive offload
|
|
|
|
---
|
|
|
|
## Compute
|
|
|
|
- EC2 instance Terraform-managed, no manual console setup
|
|
- Auto Scaling Group with launch templates and scaling policies
|
|
- Spot Instances for interruptible workloads to cut costs
|
|
- EC2 Image Builder to create custom AMIs (like your NixOS or Fedora configs)
|
|
- Systems Manager Session Manager instead of SSH (no open port 22)
|
|
- Run your Ghost blog on EC2 behind an ALB
|
|
- Run your open.mp GTA:SA server on EC2
|
|
- Graviton (ARM) instances — cheaper, good for your Linux workloads
|
|
|
|
---
|
|
|
|
## Containers & Orchestration
|
|
|
|
- Dockerize one of your existing services (Ghost, Navidrome, anything)
|
|
- ECR (Elastic Container Registry) to host your Docker images
|
|
- ECS Fargate — run containers without managing servers
|
|
- ECS with EC2 launch type — more control, cheaper at scale
|
|
- EKS (Kubernetes) cluster — the full platform engineering path
|
|
- Helm chart deployment onto EKS
|
|
- Migrate your Nginx reverse proxy pattern to an ALB + ECS setup
|
|
- Service mesh with AWS App Mesh on EKS
|
|
|
|
---
|
|
|
|
## Serverless
|
|
|
|
- Lambda function in Python or Node.js — start with something trivial
|
|
- API Gateway + Lambda REST API
|
|
- Serverless contact/order form for Nairi Café — API Gateway + Lambda + SES
|
|
- Stripe webhook handler in Lambda for Nairi Café payments
|
|
- Lambda@Edge for CloudFront request manipulation
|
|
- EventBridge scheduled rules to trigger Lambda (replace cron jobs)
|
|
- Step Functions for multi-step workflow orchestration
|
|
- SQS queue between services for decoupling
|
|
- SNS topic for fan-out notifications
|
|
- DynamoDB + Lambda for a simple serverless backend
|
|
|
|
---
|
|
|
|
## Databases
|
|
|
|
- RDS PostgreSQL in a private subnet, accessed via bastion
|
|
- RDS Multi-AZ for high availability
|
|
- RDS Read Replica for read scaling
|
|
- Aurora Serverless v2 — scales to zero, good for Nairi Café
|
|
- DynamoDB table with on-demand billing
|
|
- DynamoDB Streams + Lambda for event-driven data processing
|
|
- ElastiCache Redis in front of RDS for caching
|
|
- Database Migration Service (DMS) to migrate an existing DB to RDS
|
|
|
|
---
|
|
|
|
## CDN & DNS
|
|
|
|
- Route 53 hosted zone for one of your domains
|
|
- Route 53 health checks and failover routing
|
|
- CloudFront distribution in front of Nairi Café
|
|
- CloudFront + S3 for a static site (could be a Ghost export)
|
|
- CloudFront + ALB with custom cache behaviors
|
|
- ACM (Certificate Manager) SSL cert for your CloudFront distribution
|
|
- Route 53 latency-based routing between regions
|
|
- WAF (Web Application Firewall) attached to CloudFront
|
|
|
|
---
|
|
|
|
## CI/CD & DevOps
|
|
|
|
- GitHub Actions pipeline deploying to EC2 or ECS
|
|
- CodePipeline + CodeBuild for a fully AWS-native CI/CD pipeline
|
|
- CodeDeploy for blue/green deployments
|
|
- Terraform Cloud or S3 remote state for your AWS Terraform (mirrors your Proxmox MinIO setup)
|
|
- Terragrunt for DRY multi-account Terraform
|
|
- AWS CDK in TypeScript as an alternative to Terraform
|
|
- Atlantis on EC2 for GitOps-driven Terraform PRs
|
|
|
|
---
|
|
|
|
## Monitoring & Observability
|
|
|
|
- CloudWatch dashboards mirroring your Grafana homelab setup
|
|
- CloudWatch Logs for centralized log aggregation
|
|
- CloudWatch Alarms + SNS email notifications (mirrors your Prometheus alerting)
|
|
- AWS Managed Grafana pulling from CloudWatch
|
|
- X-Ray distributed tracing on a Lambda or ECS workload
|
|
- Container Insights for ECS/EKS metrics
|
|
- AWS Distro for OpenTelemetry (ADOT) — bridge to your existing Prometheus stack
|
|
|
|
---
|
|
|
|
## AI & ML Infrastructure
|
|
|
|
- SageMaker endpoint serving a pre-trained model
|
|
- Bedrock API call from Lambda — easiest AI integration on AWS
|
|
- S3 + Textract to extract text from scanned documents
|
|
- Rekognition for image analysis (interesting given your photography)
|
|
- Translate API — Armenian language translation pipeline, relevant to your wiki
|
|
- Comprehend for NLP on your blog content
|
|
- OpenSearch (managed Elasticsearch) for full-text search on your Ghost blog
|
|
|
|
---
|
|
|
|
## Real Projects Tied to Things You Already Run
|
|
|
|
- Full AWS mirror of your homelab architecture — VPC, EC2s, ALB, Route 53 — Terraform-managed
|
|
- Disaster recovery target for yeghiasargis.com on AWS
|
|
- Nairi Café fully migrated to AWS — Aurora Serverless + ECS Fargate + CloudFront
|
|
- Immich photo offload to S3 with lifecycle policies to Glacier
|
|
- Armenian tech wiki search layer using OpenSearch
|
|
- Multi-region Ghost deployment with RDS Aurora Global and CloudFront
|
|
- Self-hosted Nextcloud backup to S3 (complement your existing VM 108)
|
|
- AWS landing zone for a simulated startup — full multi-account, Organizations, SSO, CloudTrail, GuardDuty
|