AWS has over 200 services. The breadth is overwhelming at first — but in practice, most workloads are built on a small core of services you'll use constantly. This post covers the mental model and the services that matter most when you're getting started.

The right mental model

AWS is a collection of building blocks. The skill isn't memorizing every service — it's knowing which building block fits which problem, and how they connect. Every service has a responsibility, an IAM principal that can access it, and a billing model. Start from those three things for any new service you encounter.

Core services — the ones you'll use every day

These are the services that underpin almost every AWS architecture:

  • IAM — identity and access management. Users, roles, policies. Nothing in AWS works without IAM, so learn it first and learn it well.
  • VPC — your private network in AWS. Subnets, route tables, security groups, internet and NAT gateways. Every compute resource lives in a VPC.
  • EC2 — virtual machines. The original AWS service. Still the right choice for workloads that need full OS control or aren't container-friendly.
  • S3 — object storage. Infinitely scalable, extremely durable, cheap. Used as a foundation by almost every other service in AWS.
  • RDS — managed relational databases (Postgres, MySQL, Aurora, and others). Handles patching, backups, and Multi-AZ failover.
  • Lambda — serverless functions. Run code without managing servers. Event-driven, scales automatically, billed per execution.
  • CloudWatch — metrics, logs, and alarms. The observability backbone — every AWS service publishes metrics here by default.

Account structure matters early

A common mistake: putting everything in a single AWS account. In any real organization, you want multiple accounts from the start:

  • Management account — billing and organization-level controls only. No workloads.
  • Dev account — sandboxes and development environments.
  • Staging account — pre-production, mirrors prod configuration.
  • Production account — blast radius isolation from everything else.

AWS Organizations and Control Tower handle this structure. It's worth setting up properly at the start — retrofitting account separation onto an existing single-account setup is painful.

IAM fundamentals

IAM is the most important service to understand. The core concepts:

# The IAM policy evaluation model:
# 1. Default DENY — everything is denied unless explicitly allowed
# 2. Explicit ALLOW — a policy grants access to specific actions/resources
# 3. Explicit DENY — always wins, overrides any allow

# Minimal S3 read policy example
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["s3:GetObject", "s3:ListBucket"],
    "Resource": [
      "arn:aws:s3:::my-bucket",
      "arn:aws:s3:::my-bucket/*"
    ]
  }]
}

The principle of least privilege: grant only the permissions a resource actually needs. For EC2 instances and Lambda functions, always use IAM roles (not access keys). Roles provide temporary credentials that rotate automatically.

The AWS CLI

Get comfortable with the CLI early. The console is good for exploration; the CLI is what you use for automation, debugging, and anything you want to repeat reliably.

# Configure credentials
aws configure

# Verify your identity
aws sts get-caller-identity

# List S3 buckets
aws s3 ls

# Describe EC2 instances in a region
aws ec2 describe-instances --region us-east-1 --output table

Learn the --query flag for JMESPath filtering and --output json/table/text for different output formats. These two flags alone cover most CLI-based debugging needs.

What to learn next

Once you're comfortable with the core services, the natural progressions are:

  • Networking depth — VPC peering, Transit Gateway, PrivateLink, VPN/Direct Connect
  • Containers — ECS Fargate is the easiest on-ramp; EKS if you need Kubernetes
  • Infrastructure as Code — Terraform or CloudFormation to manage resources reproducibly
  • Data services — Kinesis, Glue, Athena, Redshift for data engineering workloads
  • Certifications — the AWS Solutions Architect Associate is the best structured learning path for cloud fundamentals

Wrapping up

AWS is learnable. Start with IAM, VPC, EC2, S3, and RDS — understand each one deeply before moving on. Get the multi-account structure right early. Learn the CLI. The rest of the 200+ services are specializations built on this foundation, and they'll make a lot more sense once the fundamentals are solid.