%22%2F%3E%3Ccircle%20cx%3D%22700%22%20cy%3D%22100%22%20r%3D%22140%22%20fill%3D%22%23ef4444%22%20opacity%3D%220.12%22%2F%3E%3Ccircle%20cx%3D%22100%22%20cy%3D%22380%22%20r%3D%22120%22%20fill%3D%22%23fca5a5%22%20opacity%3D%220.10%22%2F%3E%3Crect%20x%3D%2240%22%20y%3D%2240%22%20width%3D%22180%22%20height%3D%2230%22%20rx%3D%2215%22%20fill%3D%22%23fca5a5%22%2F%3E%3Ctext%20x%3D%2261%22%20y%3D%2261%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20font-weight%3D%22700%22%20fill%3D%22%23450a0a%22%3EAWS%20DEEP%20DIVE%20%C2%B7%20PART%204%20OF%204%3C%2Ftext%3E%3Ctext%20x%3D%2240%22%20y%3D%22130%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2236%22%20font-weight%3D%22800%22%20fill%3D%22%23ffffff%22%3ESecurity%2C%20Observability%20%26amp%3B%20DevOps%3C%2Ftext%3E%3Ctext%20x%3D%2240%22%20y%3D%22180%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2222%22%20font-weight%3D%22800%22%20fill%3D%22%23ffffff%22%3EIAM%20%C2%B7%20CloudWatch%20%C2%B7%20CloudFormation%20%C2%B7%20Secrets%20Manager%3C%2Ftext%3E%3Ctext%20x%3D%2240%22%20y%3D%22220%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2222%22%20font-weight%3D%22700%22%20fill%3D%22url(%23gg)%22%3EOperating%20an%20AWS%20Workload%20Safely%3C%2Ftext%3E%3Ctext%20x%3D%2240%22%20y%3D%22255%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2214%22%20fill%3D%22%23fecaca%22%3EFinal%204%20of%2020%20most-used%20AWS%20services%20with%20diagrams%3C%2Ftext%3E%3Crect%20x%3D%2240%22%20y%3D%22290%22%20width%3D%22170%22%20height%3D%22100%22%20rx%3D%2210%22%20fill%3D%22%23fca5a5%22%20stroke%3D%22%23ef4444%22%20stroke-width%3D%222%22%2F%3E%3Ctext%20x%3D%22125%22%20y%3D%22340%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2220%22%20font-weight%3D%22800%22%20fill%3D%22%23450a0a%22%3EIAM%3C%2Ftext%3E%3Ctext%20x%3D%22125%22%20y%3D%22368%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20fill%3D%22%23450a0a%22%3EIdentity%20%26amp%3B%20access%3C%2Ftext%3E%3Crect%20x%3D%22220%22%20y%3D%22290%22%20width%3D%22170%22%20height%3D%22100%22%20rx%3D%2210%22%20fill%3D%22%23fca5a5%22%20stroke%3D%22%23ef4444%22%20stroke-width%3D%222%22%2F%3E%3Ctext%20x%3D%22305%22%20y%3D%22340%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2220%22%20font-weight%3D%22800%22%20fill%3D%22%23450a0a%22%3ECloudWatch%3C%2Ftext%3E%3Ctext%20x%3D%22305%22%20y%3D%22368%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20fill%3D%22%23450a0a%22%3EMetrics%20%26amp%3B%20logs%3C%2Ftext%3E%3Crect%20x%3D%22400%22%20y%3D%22290%22%20width%3D%22170%22%20height%3D%22100%22%20rx%3D%2210%22%20fill%3D%22%23fca5a5%22%20stroke%3D%22%23ef4444%22%20stroke-width%3D%222%22%2F%3E%3Ctext%20x%3D%22485%22%20y%3D%22340%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2220%22%20font-weight%3D%22800%22%20fill%3D%22%23450a0a%22%3ECloudFormation%3C%2Ftext%3E%3Ctext%20x%3D%22485%22%20y%3D%22368%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20fill%3D%22%23450a0a%22%3EInfra%20as%20code%3C%2Ftext%3E%3Crect%20x%3D%22580%22%20y%3D%22290%22%20width%3D%22170%22%20height%3D%22100%22%20rx%3D%2210%22%20fill%3D%22%23fca5a5%22%20stroke%3D%22%23ef4444%22%20stroke-width%3D%222%22%2F%3E%3Ctext%20x%3D%22665%22%20y%3D%22340%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2220%22%20font-weight%3D%22800%22%20fill%3D%22%23450a0a%22%3ESecrets%20Mgr%3C%2Ftext%3E%3Ctext%20x%3D%22665%22%20y%3D%22368%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20fill%3D%22%23450a0a%22%3ECredentials%3C%2Ftext%3E%3Ctext%20x%3D%22400%22%20y%3D%22425%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2212%22%20fill%3D%22%23fecaca%22%3ECoding%20with%20Alex%20%C2%B7%20alexrait.blogspot.com%3C%2Ftext%3E%3C%2Fsvg%3E)
This is the closing post of our four-part tour through the 20 most-used AWS services. Parts 1, 2, and 3 covered the runtime, the state, and the connective tissue. This part covers the four services that keep a real workload safe, observable, and reproducible: IAM for identity and authorization, CloudWatch for telemetry and alarming, CloudFormation (and the CDK) for infrastructure as code, and Secrets Manager for credentials. Getting these four right is what separates a working AWS account from a maintainable one.
1. AWS IAM — Identity and Access Management
AWS IAM is the gate every API call passes through. Every action on AWS is authorized by IAM: the call carries an identity, AWS evaluates the applicable policies, and either allows or denies. Mastering IAM is mostly about understanding the policy evaluation order and the difference between the kinds of policies that exist.
The identities are users (long-lived; rare in modern accounts), roles (temporary, assumed by services or by federated humans through SSO), and the root user (the account owner; should be locked away with MFA and never used). Modern best practice is to centralize human identity in IAM Identity Center (the successor to AWS SSO) and have humans assume roles in member accounts via that, while workloads (Lambdas, ECS tasks, EC2 instances) get roles through service-specific trust policies.
%3C%2Ftext%3E%3Crect%20x%3D%2240%22%20y%3D%2290%22%20width%3D%2232%22%20height%3D%2222%22%20rx%3D%224%22%20fill%3D%22%23ef4444%22%2F%3E%3Ctext%20x%3D%2256%22%20y%3D%22106%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20font-weight%3D%22700%22%20fill%3D%22%23fff%22%3E2%3C%2Ftext%3E%3Ctext%20x%3D%2285%22%20y%3D%22106%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20font-weight%3D%22700%22%20fill%3D%22%23450a0a%22%3ESCP%20allow%20at%20OU%2Faccount%3F%3C%2Ftext%3E%3Ctext%20x%3D%22430%22%20y%3D%22106%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2212%22%20fill%3D%22%237f1d1d%22%3E%E2%86%92%20if%20no%2C%20DENY%3C%2Ftext%3E%3Crect%20x%3D%2240%22%20y%3D%22120%22%20width%3D%2232%22%20height%3D%2222%22%20rx%3D%224%22%20fill%3D%22%23ef4444%22%2F%3E%3Ctext%20x%3D%2256%22%20y%3D%22136%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20font-weight%3D%22700%22%20fill%3D%22%23fff%22%3E3%3C%2Ftext%3E%3Ctext%20x%3D%2285%22%20y%3D%22136%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20font-weight%3D%22700%22%20fill%3D%22%23450a0a%22%3EResource%20policy%20allow%3F%3C%2Ftext%3E%3Ctext%20x%3D%22430%22%20y%3D%22136%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2212%22%20fill%3D%22%237f1d1d%22%3E%E2%86%92%20cross-account%20requires%20this%3C%2Ftext%3E%3Crect%20x%3D%2240%22%20y%3D%22150%22%20width%3D%2232%22%20height%3D%2222%22%20rx%3D%224%22%20fill%3D%22%23ef4444%22%2F%3E%3Ctext%20x%3D%2256%22%20y%3D%22166%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20font-weight%3D%22700%22%20fill%3D%22%23fff%22%3E4%3C%2Ftext%3E%3Ctext%20x%3D%2285%22%20y%3D%22166%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20font-weight%3D%22700%22%20fill%3D%22%23450a0a%22%3EIdentity%20policy%20allow%3F%3C%2Ftext%3E%3Ctext%20x%3D%22430%22%20y%3D%22166%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2212%22%20fill%3D%22%237f1d1d%22%3E%E2%86%92%20attached%20to%20user%2Frole%3C%2Ftext%3E%3Crect%20x%3D%2240%22%20y%3D%22180%22%20width%3D%2232%22%20height%3D%2222%22%20rx%3D%224%22%20fill%3D%22%23ef4444%22%2F%3E%3Ctext%20x%3D%2256%22%20y%3D%22196%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20font-weight%3D%22700%22%20fill%3D%22%23fff%22%3E5%3C%2Ftext%3E%3Ctext%20x%3D%2285%22%20y%3D%22196%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20font-weight%3D%22700%22%20fill%3D%22%23450a0a%22%3EPermission%20boundary%3F%3C%2Ftext%3E%3Ctext%20x%3D%22430%22%20y%3D%22196%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2212%22%20fill%3D%22%237f1d1d%22%3E%E2%86%92%20limits%20what%20identity%20can%20do%3C%2Ftext%3E%3Crect%20x%3D%2240%22%20y%3D%22210%22%20width%3D%2232%22%20height%3D%2222%22%20rx%3D%224%22%20fill%3D%22%23ef4444%22%2F%3E%3Ctext%20x%3D%2256%22%20y%3D%22226%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20font-weight%3D%22700%22%20fill%3D%22%23fff%22%3E6%3C%2Ftext%3E%3Ctext%20x%3D%2285%22%20y%3D%22226%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20font-weight%3D%22700%22%20fill%3D%22%23450a0a%22%3ESession%20policy%3F%3C%2Ftext%3E%3Ctext%20x%3D%22430%22%20y%3D%22226%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2212%22%20fill%3D%22%237f1d1d%22%3E%E2%86%92%20when%20assuming%20with%20STS%3C%2Ftext%3E%3Crect%20x%3D%2240%22%20y%3D%22240%22%20width%3D%2232%22%20height%3D%2222%22%20rx%3D%224%22%20fill%3D%22%23ef4444%22%2F%3E%3Ctext%20x%3D%2256%22%20y%3D%22256%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20font-weight%3D%22700%22%20fill%3D%22%23fff%22%3E7%3C%2Ftext%3E%3Ctext%20x%3D%2285%22%20y%3D%22256%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20font-weight%3D%22700%22%20fill%3D%22%23450a0a%22%3EAll%20hurdles%20cleared%3C%2Ftext%3E%3Ctext%20x%3D%22430%22%20y%3D%22256%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2212%22%20fill%3D%22%237f1d1d%22%3E%E2%86%92%20ALLOW%3C%2Ftext%3E%3C%2Fsvg%3E)
The policy types you will actually write are identity policies (attached to a user, group, or role; the most common form), resource policies (attached to an S3 bucket, KMS key, SNS topic, Lambda function, or other resource), and at the org level Service Control Policies (which apply to every principal in an OU and act as a ceiling). Two helper constructs sit on top: permission boundaries (a maximum-permission ceiling for a delegated identity, used when one team needs to create roles for another), and session policies (passed at AssumeRole time to further restrict a session).
Practical IAM hygiene: scope policies to specific resources and actions instead of * whenever possible; use the IAM Access Analyzer to find unused permissions and externally accessible resources; rely on roles and STS rather than long-lived access keys; enable IAM Identity Center for humans; and keep production permissions strictly tighter than development through SCPs and account boundaries.
2. Amazon CloudWatch — Metrics, Logs, Alarms, and Traces
Amazon CloudWatch is the umbrella observability service. It has grown into four distinct sub-services that work together: Metrics (time-series data, both AWS-default and your own), Logs (a managed log aggregation and search engine), Alarms (rules on metrics or logs that fire actions), and now Application Signals with X-Ray (distributed traces tied back to metrics).
Metrics are emitted automatically by almost every AWS service. EC2 publishes CPUUtilization; Lambda publishes Invocations, Errors, Duration, Throttles; ALB publishes RequestCount and TargetResponseTime; RDS publishes DatabaseConnections and FreeableMemory. Your own application code can publish custom metrics with PutMetricData or, much more efficiently, by writing them as JSON inside CloudWatch Logs and letting the Embedded Metric Format (EMF) extract them server-side at no per-call cost.
Logs are organized into log groups (typically one per Lambda function, ECS service, or VPC Flow Log destination) and log streams. You can run CloudWatch Logs Insights queries with a simple pipe-style syntax to find the slowest requests, count errors by route, or correlate spikes. Retention is set per log group; set a sensible retention (often 30 to 180 days) because logs accumulate cost forever otherwise. For long-term analytics, ship logs to S3 via Logs subscription filter → Firehose and query them with Athena.
Alarms evaluate a metric (or composite expression) against a threshold over a sliding window and fire an action: notify an SNS topic, trigger an Auto Scaling adjustment, or invoke a Lambda. Anomaly Detection alarms learn a normal band for the metric and fire when reality drifts from it — helpful when static thresholds do not capture diurnal patterns.
3. AWS CloudFormation (and the CDK) — Infrastructure as Code
AWS CloudFormation is the foundational infrastructure-as-code service on AWS. You write a YAML or JSON template describing the resources you want — an S3 bucket, an EC2 instance, an RDS instance, a Lambda function, an IAM role — and CloudFormation creates, updates, or deletes them as a single stack. The state lives in CloudFormation itself; there is no separate state file to manage as with Terraform.
For day-to-day work most teams now reach for the AWS Cloud Development Kit (CDK), which generates CloudFormation under the hood but lets you write infrastructure in a real programming language (TypeScript, Python, Java, .NET, Go). The CDK gives you typed constructs, library reuse, IDE refactoring, and a much more compact expression for common patterns than raw YAML.
%22%2F%3E%3Cdefs%3E%3Cmarker%20id%3D%22arz%22%20markerWidth%3D%2210%22%20markerHeight%3D%2210%22%20refX%3D%228%22%20refY%3D%223%22%20orient%3D%22auto%22%3E%3Cpolygon%20points%3D%220%200%2C%2010%203%2C%200%206%22%20fill%3D%22%230284c7%22%2F%3E%3C%2Fmarker%3E%3C%2Fdefs%3E%3Crect%20x%3D%22210%22%20y%3D%2280%22%20width%3D%22140%22%20height%3D%2280%22%20rx%3D%228%22%20fill%3D%22%23fff%22%20stroke%3D%22%230284c7%22%20stroke-width%3D%222%22%2F%3E%3Ctext%20x%3D%22280%22%20y%3D%22115%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20font-weight%3D%22700%22%20fill%3D%22%230c4a6e%22%3ECFN%20template%3C%2Ftext%3E%3Ctext%20x%3D%22280%22%20y%3D%22138%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2210%22%20fill%3D%22%23666%22%3EYAML%20%2F%20JSON%3C%2Ftext%3E%3Cpath%20d%3D%22M350%20120%20L%20390%20120%22%20stroke%3D%22%230284c7%22%20stroke-width%3D%222%22%20marker-end%3D%22url(%23arz)%22%2F%3E%3Crect%20x%3D%22390%22%20y%3D%2280%22%20width%3D%22160%22%20height%3D%2280%22%20rx%3D%228%22%20fill%3D%22%23bae6fd%22%20stroke%3D%22%230284c7%22%20stroke-width%3D%222%22%2F%3E%3Ctext%20x%3D%22470%22%20y%3D%22115%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20font-weight%3D%22700%22%20fill%3D%22%230c4a6e%22%3EChange%20Set%3C%2Ftext%3E%3Ctext%20x%3D%22470%22%20y%3D%22138%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2210%22%20fill%3D%22%23666%22%3Ediff%20before%20apply%3C%2Ftext%3E%3Cpath%20d%3D%22M550%20120%20L%20590%20120%22%20stroke%3D%22%230284c7%22%20stroke-width%3D%222%22%20marker-end%3D%22url(%23arz)%22%2F%3E%3Crect%20x%3D%22590%22%20y%3D%2280%22%20width%3D%22160%22%20height%3D%2280%22%20rx%3D%228%22%20fill%3D%22%23fff%22%20stroke%3D%22%230284c7%22%20stroke-width%3D%222%22%2F%3E%3Ctext%20x%3D%22670%22%20y%3D%22115%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2213%22%20font-weight%3D%22700%22%20fill%3D%22%230c4a6e%22%3ELive%20resources%3C%2Ftext%3E%3Ctext%20x%3D%22670%22%20y%3D%22138%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2210%22%20fill%3D%22%23666%22%3Estack%20drift%20detected%3C%2Ftext%3E%3Ctext%20x%3D%22390%22%20y%3D%22200%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2212%22%20font-weight%3D%22700%22%20fill%3D%22%230c4a6e%22%3EOperational%20features%3C%2Ftext%3E%3Ctext%20x%3D%22390%22%20y%3D%22225%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2211%22%20fill%3D%22%23666%22%3ERollback%20on%20failure%20%C2%B7%20Drift%20detection%20%C2%B7%20StackSets%20across%20accounts%2Fregions%3C%2Ftext%3E%3Ctext%20x%3D%22390%22%20y%3D%22245%22%20text-anchor%3D%22middle%22%20font-family%3D%22Arial%2Csans-serif%22%20font-size%3D%2211%22%20fill%3D%22%23666%22%3ENested%20stacks%20%C2%B7%20Cross-stack%20outputs%20%C2%B7%20Hooks%20for%20compliance%20gates%3C%2Ftext%3E%3C%2Fsvg%3E)
Operational features that make CloudFormation actually pleasant: change sets show you exactly what will be created, updated, and deleted before you apply (a must for production); automatic rollback reverts a failed update; drift detection finds resources that were modified out-of-band; StackSets deploy the same stack across many accounts and regions through one operation; and nested stacks let you compose larger systems from reusable modules.
Two adjacent services are worth naming. AWS SAM (Serverless Application Model) is a CloudFormation transform that gives you very compact syntax for serverless apps (Lambda, API Gateway, DynamoDB). CodePipeline + CodeBuild + CodeDeploy are the AWS-native CI/CD stack; many teams now use GitHub Actions with OIDC into AWS instead, but the native pipeline still wins for fully air-gapped environments or AWS-native ecosystems like CodeCatalyst.
4. AWS Secrets Manager — Credentials Done Right
AWS Secrets Manager stores secret values (DB passwords, API tokens, OAuth client secrets, signing keys) encrypted at rest with KMS, accessed at runtime through an IAM-authenticated API. Three things distinguish it from a homegrown approach.
First, automatic rotation: for RDS, DocumentDB, Redshift, and any custom secret, Secrets Manager can rotate the credential on a schedule by invoking a rotation Lambda. The rotation flow uses four staging labels — AWSCURRENT, AWSPENDING, AWSPREVIOUS, AWSPENDING — that let clients pick up the new value gracefully without coordinated restarts. Second, cross-account and cross-region replication: a secret can be replicated to other regions for DR, and shared with another account via a resource policy. Third, fine-grained access via IAM and KMS key policies, with full CloudTrail logging of every retrieval.
For client code, the recommended way to retrieve a secret is through the Secrets Manager Agent or Lambda extension, which caches the value in-process and refreshes it on a schedule. This avoids hammering the API on every cold start and gives you the latest version automatically. For Lambda specifically, the AWS Parameters and Secrets Lambda Extension is a single layer that handles caching for both Secrets Manager and Systems Manager Parameter Store.
Speaking of SSM Parameter Store, it is the lighter cousin of Secrets Manager: free for the standard tier, no rotation, no replication, but perfectly fine for non-rotating configuration values, feature flags, and image identifiers. A common pattern is to use SSM for plain configuration and Secrets Manager for anything that should be rotated.
Putting the 20 Services Together
Across this four-part series we have covered 20 services that account for the bulk of real AWS workloads. A canonical production architecture combining them looks like this: Route 53 resolves the domain to CloudFront, which fronts an Application Load Balancer in two public subnets. The ALB routes requests to ECS on Fargate tasks in private subnets, which talk to Aurora PostgreSQL (Multi-AZ) for OLTP, DynamoDB for hot key-value access patterns, ElastiCache Redis for sessions and caching, and S3 for user uploads and assets. API Gateway HTTP API fronts a separate set of Lambda functions for asynchronous workloads, which read from SQS and publish to EventBridge; Step Functions orchestrates multi-step processes; SNS handles user notifications. Behind the scenes, IAM roles authenticate every workload, Secrets Manager stores rotating credentials, CloudWatch collects metrics, logs, and alarms, and the whole thing is defined and deployed by a CDK app that synthesizes CloudFormation stacks.
What You Can Skip (For Now)
If you are new to AWS the 200+ service catalog can be paralyzing. The reassuring truth is that you do not need most of it on day one. You can ignore the analytics stack (Athena, Glue, EMR, Redshift) until you actually have a data warehouse use case; ignore the ML services (SageMaker, Bedrock) unless ML is a feature; ignore the IoT stack unless you build IoT; and ignore most managed-blockchain or quantum services entirely. Start with the 20 services in this series, get them tightly wired together with IaC, IAM, and observability, and add specialized services only when a concrete need appears.
Wrapping Up the Series
The four posts together — compute & networking, storage & databases, application integration, and security/observability/DevOps — give you a working mental model for the AWS platform as it is used in 2026. The services keep evolving (more serverless options, more Graviton, more AI-native primitives), but the underlying concepts and the way the 20 core services fit together are stable. Bookmark the series, build something with it, and the rest of AWS becomes far less intimidating.
- Part 1: Compute & Networking →
- Part 2: Storage & Databases →
- Part 3: Application Integration →
- ▸ Part 4: Security, Observability & DevOps (you are reading this)