Fifteen weeks of production engineering on the largest public cloud. IAM done right before the first EC2 instance boots. EKS and Lambda co-deployed as a hybrid, not a religion. DynamoDB single-table from scratch. Event-driven backbones with EventBridge and Step Functions. Multi-AZ + cross-region by Week 13. Open-source-first. Free, forever.
§ I · The Program
Crunch AWS is the Amazon Web Services specialization of the Code Crunch academy — a production-engineering course on the largest public cloud, built for engineers who already write code, already deploy containers, and already know what a route table is. It is not a survey of two hundred services. It is the curriculum a principal would hand a senior engineer joining their AWS shop on day one.
You design a multi-account Organization with SCPs before you launch an EC2 instance. You write IAM policies that pass a code review. You ship containers on EKS with Karpenter Spot nodes and IRSA, and Lambda functions with a CDK pipeline and OpenTelemetry traces. You model a single-table DynamoDB schema for a multi-tenant SaaS, compose an event-driven backbone in EventBridge and Step Functions, and finish with a capstone that survives an AZ failure and a cross-region failover drill. The certs are a side effect.
"Crunch AWS is not AWS certification training. It is engineering training that happens to use AWS. The certs are a side effect."— Crunch AWS, course README
§ II · Who It's For
AWS is opinionated about its audience. C1 (Convos) plus C15 (DevOps) is the floor — you should already write Python, already deploy containers, and already have a Terraform module library you trust.
Ships FastAPI services. Has an EC2 instance they SSH into. Wants to stop SSHing and start designing — IAM, VPCs, Lambda, EventBridge, DynamoDB single-table, CDK — and own a deployable, observable platform.
Knows Linux, k8s, Terraform. Wants depth on EKS production patterns, multi-account governance with Organizations and SCPs, permission boundaries, cross-region DR, and to walk into a SAP or DOP interview not guessing.
Ships iOS, Android, or Next.js apps and rents a backend from Firebase or a friend. Wants to own it — Cognito, S3 + CloudFront, SNS, a Lambda-and-DynamoDB API — for $40 a month and an AZ outage survived.
Has "used AWS" for years. Copy-pastes IAM JSON. Does not actually understand sts:AssumeRole chains, permission boundaries, or session policies. Week 2 alone is worth the cost of admission.
§ III · Four Phases
The arc of the program is composed in four phases — three to four weeks each — ordered on one conviction: IAM and networking before compute, single-table before serverless, observability before "more services."
The AWS mental model. Accounts, Organizations, OUs, SCPs. IAM in depth — users, roles, policies, conditions, permission boundaries, AssumeRole chains. Identity Center for humans. Billing as a feature. CDK bootstrap.
Production VPCs with endpoints and PrivateLink. EC2 → ECS Fargate → EKS, with judgment on which one and why. S3 deep, EBS, EFS, FSx. CodePipeline, CodeBuild, CodeDeploy, ECR with blue/green and OIDC.
RDS and Aurora — provisioned, Serverless v2, Global. DynamoDB single-table from scratch. SQS, SNS, EventBridge, Step Functions, Kinesis, MSK. S3 + Glue + Athena data lake. SageMaker training and endpoints, Bedrock managed.
OpenTelemetry via ADOT. KMS, GuardDuty, Security Hub, Macie, Inspector, WAF, Shield. Multi-region DR with measured RTO/RPO. FinOps with Savings Plans and Spot. Capstone build, chaos drill, postmortem, career pack.
§ IV · The Curriculum
Each entry corresponds to a folder in the GitHub repository with lecture notes, exercises, challenges, a quiz, homework, and a hands-on lab. Detailed acceptance criteria live in the syllabus.
History of AWS as primitives · Region/AZ/edge topology · shared responsibility · Organizations, OUs, SCPs · root hygiene · free tier · Budgets, Cost Explorer, Cost & Usage Reports · CLI, profiles, aws sso login.
Multi-OU Organization + SCP deny + $5/$25/$80 budget alarms
Users vs roles vs groups vs policies · explicit deny wins · condition keys · permission boundaries · session policies · sts:AssumeRole chains · cross-account trust · Access Analyzer.
Three-account topology with Identity Center + permission boundary proof
CloudFormation as substrate · CDK (TS + Python) constructs L1/L2/L3 · cdk bootstrap · CDK pipelines · drift · SAM · LocalStack, dynamodb-local, MinIO for local dev.
VPC + KMS-encrypted S3 + Lambda in CDK TS, then Python, then OpenTofu
CIDR planning · public/private/isolated subnets · NAT vs Egress-only IGW · Security Groups vs NACLs · VPC endpoints (gateway + interface) · PrivateLink · TGW · Route 53 · CloudFront · ACM · WAF · Shield.
Three-AZ VPC with endpoints — prove zero-NAT egress to S3 and ECR
EC2 instance families · ASG, launch templates, Spot · ECS Fargate vs EKS · managed node groups, Karpenter, Fargate profiles, IRSA, ALB Controller, External DNS, EBS CSI · AWS Batch.
Same FastAPI app on Fargate, on EKS with Karpenter Spot, and on Lambda — cost-vs-latency doc
S3 storage classes · lifecycle · intelligent tiering · object lock · versioning · SRR/CRR · Object Lambda · presigned URLs · EBS gp3/io2 · EFS · FSx Lustre/Windows/ONTAP · MinIO, Ceph, JuiceFS comparators.
Lifecycle bucket + CRR + Object-Lambda watermark + EFS shared mount
CodeBuild buildspec · multi-arch linux/arm64 for Graviton · CodePipeline approvals · CodeDeploy blue/green · ECS deployment groups · Lambda traffic shifting · ECR scanning · GitHub Actions OIDC into AWS.
Blue/green ECS pipeline with 10% canary + auto-rollback, then OIDC replica
RDS vs Aurora storage · read replicas · ACU math · Performance Insights · RDS Proxy · IAM database auth · PITR · cross-region snapshots · Aurora Global Database · Patroni HA & Citus comparators.
Aurora Postgres writer + 2 readers, force failover, then convert to Serverless v2
Partition + sort keys · single-table pattern · GSIs vs LSIs · sparse indexes · write-sharding for hot partitions · TTL · Streams → Lambda · transactions · on-demand vs provisioned · Global Tables · DAX.
Multi-tenant SaaS single-table — hot-partition stress test + sharding fix
SQS standard vs FIFO · DLQs · SNS fan-out · EventBridge buses, archive, replay, pipes · Step Functions Standard vs Express · Kinesis shards & KCL · MSK managed Kafka · NATS & Temporal comparators.
API → Lambda → EventBridge → (SQS + Step Functions + Firehose) order pipeline, with DLQ replay
Glue Catalog & Crawlers · Athena partitioning & Parquet · Lake Formation row/column security · OpenSearch managed and Serverless · SageMaker training on Spot · real-time/serverless/async endpoints · Bedrock as a router.
Firehose → Glue → Athena (Parquet) + a SageMaker endpoint vs a Bedrock Claude Haiku call
Log groups, Logs Insights, embedded metric format · composite & anomaly alarms · Synthetics canaries · RUM · X-Ray service maps · ADOT collector on EKS & Lambda · Container Insights · burn-rate alarms on a 99.9% SLO.
Add OpenTelemetry to the Week-10 pipeline + burn-rate alarm fires on synthetic outage
KMS CMKs · key policies vs grants · multi-region keys · Secrets Manager vs SSM · GuardDuty · Security Hub · Macie · Inspector · Network Firewall · WAF managed rules · Shield Advanced · ACM Private CA · Aurora Global · DynamoDB Global Tables · Route 53 failover.
Org-wide GuardDuty + DynamoDB Global Tables + Aurora cross-region + manual failover
Savings Plans vs RIs · Spot interruption handling · Compute Optimizer · Graviton arm64 savings · Cost & Usage Report → Athena → QuickSight · anomaly detection · tag-based allocation · CloudFront Functions vs Lambda@Edge · origin failover.
CloudFront + WAF + Lambda@Edge tenant routing, plus a QuickSight cost dashboard
Chaos drill — AZ failover, DynamoDB throttle, Lambda concurrency exhaustion, NAT saturation, CloudFront origin failure · blameless postmortem · SAP/DOP cert-prep mapping · system-design interview drills (FAANG & AWS-shop variants).
Event-Driven SaaS Backbone — 30-min oral defense + 10-min public walkthrough
§ V · The Toolchain
Every AWS-native primitive below is shadowed by its open-source equivalent. You will leave knowing which trade-off you took, and why.
§ VI · Skills You Will Carry
By the end of Week 15, you are able to do each of the following — credibly, in a real design review, in front of a senior reviewer.
§ VII · The Capstone
Weeks 13 through 15 are reserved for a single substantial system — the kind a real product team would scope across a quarter. Architecture diagrams, live deploy, video walkthrough, chaos-drill postmortem.
Capstone Brief
Build a hybrid event-driven backbone: EKS with Karpenter Spot for the long-running tier, Lambda + Step Functions for the event-handler tier, ECS Fargate for one stateful sidecar — all behind a single CloudFront distribution. EventBridge as the spine, with SQS for retry, Kinesis Firehose to S3, DynamoDB single-table for transactional state, Aurora Postgres (multi-AZ + cross-region) for analytics, and a SageMaker real-time endpoint for inference. CDK IaC, OpenTelemetry tracing, multi-AZ + cross-region from day one. All tiers come from your code.
cdk deploy --all, plus GitHub Actions OIDC.§ VIII · Getting Started
The setup is intentionally lightweight. If you have a laptop, a terminal, and an AWS account you control, you can begin Week 1 today. The first two weeks fit inside the free tier.
# 1. Clone the curriculum repository git clone https://github.com/CODE-CRUNCH-WORLDWIDE/C19-CRUNCH-AWS.git cd C19-CRUNCH-AWS # 2. Configure AWS (SSO recommended; static keys discouraged) aws configure sso # Identity Center — preferred aws configure --profile c19-dev # static keys — sandbox only # 3. Optional — run locally with LocalStack to keep the bill at $0 docker run -p 4566:4566 localstack/localstack # S3, DynamoDB, Lambda, SQS, SNS, Step Functions # 4. Open Week 1 README and begin $EDITOR curriculum/week-01-foundations/README.md
Worried about the bill? The entire course runs against LocalStack + MinIO + dynamodb-local + KinD for $0 — see the README for the LocalStack-only path.
§ IX · Frequently Asked
Designed for under $80 total if you follow the rules. Weeks 1–7 fit inside the free tier for most services. EKS work is concentrated into a two-week burst with a nightly cdk destroy. We use Spot on every stateless worker (60–85% savings), VPC endpoints to avoid the silent NAT-Gateway bill, and configure $5 / $25 / $80 Budget alarms in Week 1. If cost is a hard blocker, the entire course can run against LocalStack + MinIO + dynamodb-local + KinD for $0.
§ X · Begin
Open the repository. Read Week 1. The console is yours.