AWS Resource Hierarchy
9 min read Β· Updated 2026-04-25
AWS has hundreds of services. Understanding how they compose is the difference between effective architects and people who randomly click around the console. This lesson is a working tour, organized by functional category β what each service is, what it composes with, and how a typical SaaS uses it.
Foundation: Organizations & Accounts
AWS Organization
Top-level container for multiple accounts. Centralized billing, policy inheritance, hierarchical management.
Organizational Unit (OU)
Groups accounts within an Org for management. Common: Production OU, Development OU, Sandbox OU.
AWS Account
Primary boundary for billing and security. Multiple accounts β strong isolation between environments / business units / customers.
Service Control Policies (SCPs)
Permission boundaries enforced at the OU/Account level. Even account admins can't exceed them.
A typical multi-account setup:
AWS Organization
βββ Management Account (billing, IAM Identity Center)
βββ Security OU
β βββ Audit Account
β βββ Log Archive Account
βββ Production OU
β βββ Workload-A-Prod
β βββ Workload-B-Prod
βββ Development OU
βββ Workload-A-Dev
βββ SandboxRegional Infrastructure
Region
Geographic location (us-east-1, eu-west-1). Most resources are regional. Choice affects latency, cost, compliance, service availability.
Availability Zone (AZ)
Isolated data center within a region (typically 3-6). Span AZs for HA β single-AZ deployments are fragile.
VPC
Virtual Private Cloud. Isolated network within a region. CIDR block, subnets, route tables, security groups.
Subnet
Subdivision of a VPC. Lives in one AZ. Public (internet-accessible) or private.
This was covered in detail in Network in AWS. The hierarchy is shared across all the services below.
Compute
EC2
Virtual machines
Full Linux/Windows servers. Instance types optimized for compute, memory, storage, GPU, network. Most flexible; most operational overhead.
ECS / EKS
Containers
ECS = AWS-native container orchestration. EKS = managed Kubernetes. Run on EC2 (you manage scaling) or Fargate (serverless containers).
Lambda
Functions
Serverless functions, event-triggered, pay per execution. 15-minute max runtime. Cold start latency. Best for spiky / event-driven workloads.
Batch / Step Functions
Orchestrated workloads
Batch = job queue + worker fleet for compute-heavy jobs. Step Functions = visual state-machine orchestration across services.
Storage
S3
Object storage. Durable, scalable, eleven 9s of durability. Storage classes (Standard, IA, Glacier) for cost optimization. The default for unstructured data.
EBS
Block storage. Attached to EC2 instances like a hard drive. SSD (gp3, io2) or magnetic. Backed by snapshots in S3.
EFS
Network file system. POSIX-compliant. Mountable from many EC2 instances or Lambda. For shared file storage.
Databases
RDS
Managed relational. Postgres, MySQL, MariaDB, Oracle, SQL Server. Multi-AZ for HA. Read replicas. Automated backups.
Aurora
AWS-built Postgres / MySQL with separated compute/storage. 5x throughput of MySQL, 3x of Postgres. Up to 15 read replicas. Serverless option (Aurora Serverless v2).
DynamoDB
Managed key-value / document. Single-digit ms latency at any scale. Pay-per-request or provisioned capacity. Global tables for multi-region.
ElastiCache
Managed Redis or Memcached. In-memory cache. Cluster mode for sharding. Used for sessions, caching, real-time leaderboards.
Redshift
Managed columnar data warehouse. Analytical queries on TB-PB datasets. Decoupled compute and storage in newer generation.
Neptune
Managed graph database. Property graph (Gremlin) and RDF (SPARQL). For relationship-heavy data β fraud detection, knowledge graphs, social networks.
Networking
ALB / NLB / CLB
Application Load Balancer (Layer 7), Network Load Balancer (Layer 4), Classic (legacy). Almost everyone uses ALB.
API Gateway
Managed API gateway for REST and HTTP APIs. WebSocket support. Tightly integrated with Lambda.
CloudFront
CDN. 400+ edge locations globally. Origin can be S3, EC2, ALB, or any HTTP endpoint. Lambda@Edge for edge compute.
Route 53
DNS service. Health checks, geographic routing, latency-based routing, weighted records. Domain registration too.
Transit Gateway
Hub-and-spoke connectivity for many VPCs. Replaces complex VPC peering meshes.
PrivateLink
Expose a service privately to other VPCs without public IPs or peering.
Identity & Security
IAM
Identity and Access Management. Users, groups, roles, policies. Roles for service-to-service auth (no long-lived credentials).
KMS
Key Management Service. Managed encryption keys. Hardware-backed (CloudHSM available). Used by S3, RDS, EBS for encryption-at-rest.
WAF / Shield
Web Application Firewall (Layer 7 filtering). Shield = DDoS protection. Both integrate with ALB, CloudFront, API Gateway.
Secrets Manager / SSM Parameter Store
Secret storage with rotation. Parameter Store for config; Secrets Manager for credentials with rotation policies.
Cognito
User pools for app authentication. OAuth 2.0 / OIDC. Federation with Google, Facebook, SAML, OIDC providers.
Certificate Manager
Free public TLS certs, auto-renewal. Private CA also available.
Messaging & Events
SQS
Managed queue. Standard (high throughput, at-least-once) or FIFO (ordered, exactly-once). Dead-letter queues built in.
SNS
Managed pub/sub. Topics, multiple subscribers (SQS, Lambda, HTTP). Fan-out pattern.
Kinesis
Managed streams. Data Streams (Kafka-like), Firehose (delivery to S3/Redshift), Analytics. For real-time data ingestion.
EventBridge
Managed event bus. Source apps publish events; rules route to targets. Schema registry, archive, replay.
MSK
Managed Kafka. Same Kafka API; AWS handles cluster operations. The right call when you need Kafka semantics specifically.
Observability
CloudWatch
Metrics, logs, alarms, dashboards. The default for any AWS service. Custom metrics from your apps too.
X-Ray
Distributed tracing. Auto-instrumentation for Lambda, ECS, EC2. Service map visualizes request flow.
CloudTrail
API audit log. Every action against AWS APIs is recorded. Critical for security forensics and compliance.
Config
Resource configuration history. "What did this S3 bucket's policy look like 30 days ago?" answers via Config.
A Realistic SaaS Composition
Hereβs how a multi-tenant SaaS might compose AWS services:
[ Route 53 + CloudFront + WAF ]
β
βΌ
[ ALB across 3 AZs ]
β
ββββββββββββββββββββΌβββββββββββββββββββ
βΌ βΌ βΌ
[ ECS Fargate ] [ ECS Fargate ] [ ECS Fargate ]
(App service) (App service) (App service)
β β β
ββββββββββββββββββββΌβββββββββββββββββββ
βΌ
[ Aurora Multi-AZ ]
(Postgres, with read replicas)
β
ββββββββββββββββββββΌβββββββββββββββββββ
βΌ βΌ βΌ
[ Redis ] [ S3 ] [ DynamoDB ]
(sessions/cache) (file storage) (high-throughput)
[ Cognito ] βββ [ API Gateway ] βββ [ Lambda functions ]
(user auth) (public API) (webhooks, async jobs)
[ Kinesis ] βββ [ Lambda ] [ EventBridge ] βββ [ Lambda / SQS ]
(events in) (process) (cross-service) (downstream)
[ CloudWatch + X-Ray + CloudTrail ] [ Secrets Manager + KMS ]
(observability) (secrets + encryption)This is a typical reference architecture. Most SaaS platforms run a variant of it.
Recap
- AWS resources hang off the Organization β OU β Account β Region β AZ hierarchy.
- Compute: EC2 (VMs), ECS/EKS (containers), Lambda (functions), Batch/Step Functions (orchestration).
- Storage: S3 (objects), EBS (block), EFS (file).
- Databases: RDS/Aurora (relational), DynamoDB (key-value), ElastiCache (cache), Redshift (analytics), Neptune (graph).
- Networking: ALB/NLB, API Gateway, CloudFront, Route 53, Transit Gateway, PrivateLink.
- Identity: IAM, KMS, WAF/Shield, Secrets Manager, Cognito, ACM.
- Messaging: SQS, SNS, Kinesis, EventBridge, MSK.
- Observability: CloudWatch, X-Ray, CloudTrail, Config.
- The skill is composition β knowing which services play together for which use case.