# AWS Fundamentals and Boto3 Setup

## Learning Objectives

By the end of this notebook, you will be able to:

1. Understand AWS account structure and core concepts
2. Explain IAM (Identity and Access Management) fundamentals
3. Configure AWS credentials securely
4. Install and set up boto3 for Python
5. Create and manage boto3 sessions and clients

---

## 1. AWS Account Basics

### What is AWS?

Amazon Web Services (AWS) is a comprehensive cloud computing platform that provides:
- **Compute services** (EC2, Lambda)
- **Storage services** (S3, EBS)
- **Database services** (RDS, DynamoDB)
- **Networking** (VPC, Route 53)
- And 200+ other services

### AWS Account Structure

```
AWS Account (Root)
    |
    +-- IAM Users (individual identities)
    |       |
    |       +-- Access Keys (programmatic access)
    |       +-- Passwords (console access)
    |
    +-- IAM Roles (assumed identities)
    |
    +-- IAM Groups (collections of users)
    |
    +-- Resources (S3 buckets, EC2 instances, etc.)
```

### Regions and Availability Zones

- **Region**: Geographic area (e.g., `us-east-1`, `eu-west-1`)
- **Availability Zone (AZ)**: Isolated data center within a region
- Some services are **global** (IAM, Route 53, CloudFront)
- Most services are **regional** (S3, EC2, Lambda)

In [None]:
# Common AWS regions
AWS_REGIONS = {
    "us-east-1": "US East (N. Virginia)",
    "us-east-2": "US East (Ohio)",
    "us-west-1": "US West (N. California)",
    "us-west-2": "US West (Oregon)",
    "eu-west-1": "Europe (Ireland)",
    "eu-west-2": "Europe (London)",
    "eu-central-1": "Europe (Frankfurt)",
    "ap-northeast-1": "Asia Pacific (Tokyo)",
    "ap-southeast-1": "Asia Pacific (Singapore)",
    "ap-south-1": "Asia Pacific (Mumbai)",
}

# Print available regions
for code, name in AWS_REGIONS.items():
    print(f"{code:20} -> {name}")

## 2. IAM (Identity and Access Management)

### IAM Core Components

| Component | Description | Use Case |
|-----------|-------------|----------|
| **User** | Individual identity | Personal access for developers |
| **Group** | Collection of users | Apply policies to multiple users |
| **Role** | Assumable identity | Cross-account access, service permissions |
| **Policy** | JSON document defining permissions | Fine-grained access control |

### IAM Policy Structure

Policies follow a specific JSON format:

In [None]:
import json

# Example IAM Policy - Allow read-only S3 access
example_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowS3ReadOnly",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}

print("Example IAM Policy:")
print(json.dumps(example_policy, indent=2))

In [None]:
# More complex policy with conditions
complex_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowS3AccessFromSpecificIP",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "192.168.1.0/24"
                }
            }
        },
        {
            "Sid": "DenyDeleteBucket",
            "Effect": "Deny",
            "Action": "s3:DeleteBucket",
            "Resource": "*"
        }
    ]
}

print("Complex Policy with Conditions:")
print(json.dumps(complex_policy, indent=2))

### IAM Best Practices

1. **Never use root account** for daily operations
2. **Enable MFA** on all accounts, especially root
3. **Principle of Least Privilege** - Grant only necessary permissions
4. **Use roles** instead of long-term access keys when possible
5. **Rotate credentials** regularly
6. **Use IAM Access Analyzer** to identify unused permissions

## 3. Credentials Configuration

### Methods of Authentication (in order of precedence)

1. **Explicit credentials** in code (NOT recommended)
2. **Environment variables** (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`)
3. **Shared credentials file** (`~/.aws/credentials`)
4. **AWS config file** (`~/.aws/config`)
5. **IAM role** (for EC2, Lambda, ECS)

### Setting Up Credentials File

In [None]:
# The credentials file structure (~/.aws/credentials)
credentials_template = """
# ~/.aws/credentials

[default]
aws_access_key_id = YOUR_ACCESS_KEY_HERE
aws_secret_access_key = YOUR_SECRET_KEY_HERE

[dev]
aws_access_key_id = DEV_ACCESS_KEY
aws_secret_access_key = DEV_SECRET_KEY

[prod]
aws_access_key_id = PROD_ACCESS_KEY
aws_secret_access_key = PROD_SECRET_KEY
"""

print(credentials_template)

In [None]:
# The config file structure (~/.aws/config)
config_template = """
# ~/.aws/config

[default]
region = us-east-1
output = json

[profile dev]
region = us-west-2
output = json

[profile prod]
region = eu-west-1
output = json
"""

print(config_template)

In [None]:
import os
from pathlib import Path

# Check for existing AWS configuration
def check_aws_config():
    """Check if AWS credentials and config files exist."""
    home = Path.home()
    aws_dir = home / ".aws"
    credentials_file = aws_dir / "credentials"
    config_file = aws_dir / "config"
    
    results = {
        "aws_directory": aws_dir.exists(),
        "credentials_file": credentials_file.exists(),
        "config_file": config_file.exists(),
        "env_access_key": bool(os.environ.get("AWS_ACCESS_KEY_ID")),
        "env_secret_key": bool(os.environ.get("AWS_SECRET_ACCESS_KEY")),
        "env_region": os.environ.get("AWS_DEFAULT_REGION", "Not set"),
    }
    
    print("AWS Configuration Status:")
    print("-" * 40)
    print(f"AWS Directory (~/.aws):      {results['aws_directory']}")
    print(f"Credentials File:            {results['credentials_file']}")
    print(f"Config File:                 {results['config_file']}")
    print(f"Env: AWS_ACCESS_KEY_ID:      {results['env_access_key']}")
    print(f"Env: AWS_SECRET_ACCESS_KEY:  {results['env_secret_key']}")
    print(f"Env: AWS_DEFAULT_REGION:     {results['env_region']}")
    
    return results

check_aws_config()

### Security Warning

> **NEVER commit credentials to version control!**
>
> Add these to your `.gitignore`:
> ```
> .aws/
> *.pem
> .env
> ```

## 4. Installing and Setting Up Boto3

### Installation

In [None]:
# Install boto3 (uncomment to run)
# !pip install boto3

# For development, also install moto for mocking AWS services
# !pip install moto

print("To install boto3, run:")
print("  pip install boto3")
print("\nFor testing/mocking:")
print("  pip install moto")

In [None]:
# Import and check boto3 version
try:
    import boto3
    import botocore
    
    print(f"boto3 version: {boto3.__version__}")
    print(f"botocore version: {botocore.__version__}")
except ImportError:
    print("boto3 is not installed. Run: pip install boto3")

### Boto3 Architecture

Boto3 has two levels of API:

1. **Client (Low-level)**: Direct 1:1 mapping to AWS API calls
2. **Resource (High-level)**: Object-oriented interface (easier to use)

```
boto3
  |
  +-- Session (credentials + config)
        |
        +-- Client (low-level API)
        |     - service_name
        |     - direct API calls
        |
        +-- Resource (high-level API)
              - object-oriented
              - collections
              - actions
```

## 5. Sessions and Clients

### Creating a Session

In [None]:
import boto3

# Default session (uses default profile)
default_session = boto3.Session()

print(f"Default region: {default_session.region_name}")
print(f"Available profiles: {default_session.available_profiles}")

In [None]:
# Session with specific profile and region
# (This will fail if the profile doesn't exist - that's expected)
try:
    custom_session = boto3.Session(
        profile_name='dev',  # Use specific profile
        region_name='us-west-2'  # Override region
    )
    print(f"Custom session region: {custom_session.region_name}")
except Exception as e:
    print(f"Profile 'dev' not found (expected): {type(e).__name__}")
    print("\nYou can create profiles in ~/.aws/credentials")

In [None]:
# Session with explicit credentials (NOT recommended for production)
# This is useful for testing or temporary access

# DON'T DO THIS IN REAL CODE!
example_session = boto3.Session(
    aws_access_key_id='AKIAIOSFODNN7EXAMPLE',  # Fake key
    aws_secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',  # Fake secret
    region_name='us-east-1'
)

print("Session created with explicit credentials (for demo only)")
print("WARNING: Never hardcode real credentials in your code!")

### Creating Clients

In [None]:
# Create clients from session
session = boto3.Session(region_name='us-east-1')

# S3 client
s3_client = session.client('s3')

# EC2 client
ec2_client = session.client('ec2')

# DynamoDB client
dynamodb_client = session.client('dynamodb')

print("Clients created:")
print(f"  S3: {type(s3_client)}")
print(f"  EC2: {type(ec2_client)}")
print(f"  DynamoDB: {type(dynamodb_client)}")

In [None]:
# Quick way to create clients (uses default session)
s3 = boto3.client('s3')
lambda_client = boto3.client('lambda')
sqs = boto3.client('sqs')

print("Quick client creation uses the default session")

### Creating Resources

In [None]:
# Resources provide higher-level, object-oriented interface
s3_resource = boto3.resource('s3')
dynamodb_resource = boto3.resource('dynamodb')

print(f"S3 Resource: {type(s3_resource)}")
print(f"DynamoDB Resource: {type(dynamodb_resource)}")

In [None]:
# Client vs Resource comparison
print("Client vs Resource:")
print("="*50)
print()
print("CLIENT (Low-level):")
print("  - Direct API mapping")
print("  - Returns dictionaries")
print("  - More verbose")
print("  - Example: s3.list_buckets()")
print()
print("RESOURCE (High-level):")
print("  - Object-oriented")
print("  - Returns objects with methods")
print("  - More Pythonic")
print("  - Example: s3.Bucket('name').objects.all()")

### Listing Available Services

In [None]:
# List all available services
session = boto3.Session()

# Services available for clients
all_services = session.get_available_services()
print(f"Total services available: {len(all_services)}")
print(f"\nFirst 20 services: {all_services[:20]}")

# Common services we'll use
common_services = ['s3', 'ec2', 'dynamodb', 'lambda', 'sqs', 'sns', 'iam', 'cloudwatch']
print(f"\nCommon services we'll cover: {common_services}")

In [None]:
# Services available for resources (high-level API)
# Note: Not all services have resource interfaces
resources_available = session.get_available_resources()
print(f"Services with resource API: {resources_available}")

### Configuration Best Practices

In [None]:
from botocore.config import Config

# Configure client with retry logic and timeouts
custom_config = Config(
    region_name='us-east-1',
    signature_version='v4',
    retries={
        'max_attempts': 3,
        'mode': 'standard'
    },
    connect_timeout=5,
    read_timeout=10
)

# Create client with custom config
s3_with_config = boto3.client('s3', config=custom_config)

print("Client created with custom configuration:")
print(f"  - Max retries: 3")
print(f"  - Connect timeout: 5s")
print(f"  - Read timeout: 10s")

### Environment Variable Configuration

In [None]:
import os

# AWS environment variables reference
env_vars = {
    "AWS_ACCESS_KEY_ID": "Your access key",
    "AWS_SECRET_ACCESS_KEY": "Your secret key",
    "AWS_SESSION_TOKEN": "Temporary session token (for assumed roles)",
    "AWS_DEFAULT_REGION": "Default region for operations",
    "AWS_PROFILE": "Named profile to use",
    "AWS_CONFIG_FILE": "Path to config file (default: ~/.aws/config)",
    "AWS_SHARED_CREDENTIALS_FILE": "Path to credentials file",
}

print("AWS Environment Variables:")
print("="*60)
for var, description in env_vars.items():
    current_value = os.environ.get(var, "Not set")
    if current_value != "Not set" and "KEY" in var:
        current_value = "****" + current_value[-4:]  # Mask sensitive values
    print(f"{var:35} -> {description}")
    print(f"{'':35}    Current: {current_value}")

---

## Exercises

### Exercise 1: Create an IAM Policy

Create a Python dictionary representing an IAM policy that:
- Allows `s3:GetObject` and `s3:PutObject` on bucket `my-data-bucket`
- Denies all `s3:Delete*` actions
- Requires MFA for all actions

In [None]:
# Exercise 1: Your code here
import json

policy = {
    # Create your policy here
}

print(json.dumps(policy, indent=2))

<details>
<summary>Click to see solution</summary>

```python
import json

policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGetPutWithMFA",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::my-data-bucket/*",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        },
        {
            "Sid": "DenyAllDeletes",
            "Effect": "Deny",
            "Action": "s3:Delete*",
            "Resource": "*"
        }
    ]
}

print(json.dumps(policy, indent=2))
```
</details>

### Exercise 2: Session Manager Class

Create a class that manages boto3 sessions for different environments (dev, staging, prod).

In [None]:
# Exercise 2: Your code here
import boto3
from typing import Dict, Optional

class AWSSessionManager:
    """Manage AWS sessions for different environments."""
    
    def __init__(self):
        # Your implementation here
        pass
    
    def get_session(self, environment: str) -> boto3.Session:
        """Get or create session for environment."""
        pass
    
    def get_client(self, service: str, environment: str):
        """Get client for a service in an environment."""
        pass

# Test your class
# manager = AWSSessionManager()
# s3 = manager.get_client('s3', 'dev')

<details>
<summary>Click to see solution</summary>

```python
import boto3
from typing import Dict, Optional, Any

class AWSSessionManager:
    """Manage AWS sessions for different environments."""
    
    # Environment to region mapping
    ENV_CONFIG = {
        'dev': {'region': 'us-west-2', 'profile': 'dev'},
        'staging': {'region': 'us-east-1', 'profile': 'staging'},
        'prod': {'region': 'us-east-1', 'profile': 'prod'},
    }
    
    def __init__(self):
        """Initialize session cache."""
        self._sessions: Dict[str, boto3.Session] = {}
        self._clients: Dict[str, Any] = {}
    
    def get_session(self, environment: str) -> boto3.Session:
        """Get or create session for environment."""
        if environment not in self.ENV_CONFIG:
            raise ValueError(f"Unknown environment: {environment}")
        
        if environment not in self._sessions:
            config = self.ENV_CONFIG[environment]
            try:
                self._sessions[environment] = boto3.Session(
                    profile_name=config['profile'],
                    region_name=config['region']
                )
            except Exception:
                # Fallback to region-only if profile doesn't exist
                self._sessions[environment] = boto3.Session(
                    region_name=config['region']
                )
        
        return self._sessions[environment]
    
    def get_client(self, service: str, environment: str):
        """Get client for a service in an environment."""
        cache_key = f"{environment}:{service}"
        
        if cache_key not in self._clients:
            session = self.get_session(environment)
            self._clients[cache_key] = session.client(service)
        
        return self._clients[cache_key]
    
    def list_environments(self) -> list:
        """List available environments."""
        return list(self.ENV_CONFIG.keys())

# Test the class
manager = AWSSessionManager()
print(f"Available environments: {manager.list_environments()}")

# Get a client
s3_dev = manager.get_client('s3', 'dev')
print(f"S3 client type: {type(s3_dev)}")
```
</details>

### Exercise 3: Configuration Validator

Write a function that validates AWS configuration and provides helpful error messages.

In [None]:
# Exercise 3: Your code here
from typing import Tuple, List

def validate_aws_config() -> Tuple[bool, List[str]]:
    """
    Validate AWS configuration.
    
    Returns:
        Tuple of (is_valid, list of issues/warnings)
    """
    # Your implementation here
    pass

# Test
# is_valid, messages = validate_aws_config()
# for msg in messages:
#     print(msg)

<details>
<summary>Click to see solution</summary>

```python
import os
from pathlib import Path
from typing import Tuple, List
import boto3
from botocore.exceptions import NoCredentialsError, PartialCredentialsError

def validate_aws_config() -> Tuple[bool, List[str]]:
    """
    Validate AWS configuration.
    
    Returns:
        Tuple of (is_valid, list of issues/warnings)
    """
    issues = []
    warnings = []
    is_valid = True
    
    home = Path.home()
    aws_dir = home / ".aws"
    
    # Check for AWS directory
    if not aws_dir.exists():
        warnings.append("[WARN] ~/.aws directory does not exist")
    
    # Check for credentials file
    creds_file = aws_dir / "credentials"
    if not creds_file.exists():
        warnings.append("[WARN] ~/.aws/credentials file not found")
    
    # Check for config file
    config_file = aws_dir / "config"
    if not config_file.exists():
        warnings.append("[WARN] ~/.aws/config file not found")
    
    # Check environment variables
    env_access = os.environ.get("AWS_ACCESS_KEY_ID")
    env_secret = os.environ.get("AWS_SECRET_ACCESS_KEY")
    
    if env_access and not env_secret:
        issues.append("[ERROR] AWS_ACCESS_KEY_ID set but AWS_SECRET_ACCESS_KEY missing")
        is_valid = False
    
    if env_secret and not env_access:
        issues.append("[ERROR] AWS_SECRET_ACCESS_KEY set but AWS_ACCESS_KEY_ID missing")
        is_valid = False
    
    # Try to create a session
    try:
        session = boto3.Session()
        credentials = session.get_credentials()
        
        if credentials is None:
            issues.append("[ERROR] No credentials found")
            is_valid = False
        else:
            issues.append("[OK] Credentials found")
            
            # Try to make a simple API call
            try:
                sts = session.client('sts')
                identity = sts.get_caller_identity()
                issues.append(f"[OK] Authenticated as: {identity['Arn']}")
            except Exception as e:
                warnings.append(f"[WARN] Could not verify credentials: {e}")
                
    except NoCredentialsError:
        issues.append("[ERROR] No AWS credentials configured")
        is_valid = False
    except PartialCredentialsError as e:
        issues.append(f"[ERROR] Incomplete credentials: {e}")
        is_valid = False
    
    # Check region
    region = os.environ.get("AWS_DEFAULT_REGION")
    if not region:
        try:
            session = boto3.Session()
            if session.region_name:
                issues.append(f"[OK] Default region: {session.region_name}")
            else:
                warnings.append("[WARN] No default region configured")
        except:
            warnings.append("[WARN] Could not determine default region")
    else:
        issues.append(f"[OK] Region from env: {region}")
    
    return is_valid, issues + warnings

# Test
is_valid, messages = validate_aws_config()
print("AWS Configuration Validation")
print("=" * 40)
for msg in messages:
    print(msg)
print()
print(f"Configuration valid: {is_valid}")
```
</details>

### Exercise 4: Service Client Factory

Create a factory function that creates boto3 clients with standard configuration (retries, timeouts).

In [None]:
# Exercise 4: Your code here
from botocore.config import Config
from typing import Optional

def create_client(
    service: str,
    region: Optional[str] = None,
    max_retries: int = 3,
    timeout: int = 10
):
    """
    Create a boto3 client with standard configuration.
    
    Args:
        service: AWS service name
        region: AWS region (optional)
        max_retries: Maximum retry attempts
        timeout: Connection timeout in seconds
    
    Returns:
        Configured boto3 client
    """
    # Your implementation here
    pass

# Test
# s3 = create_client('s3', region='us-west-2', max_retries=5)

<details>
<summary>Click to see solution</summary>

```python
import boto3
from botocore.config import Config
from typing import Optional, Any

def create_client(
    service: str,
    region: Optional[str] = None,
    max_retries: int = 3,
    timeout: int = 10,
    profile: Optional[str] = None
) -> Any:
    """
    Create a boto3 client with standard configuration.
    
    Args:
        service: AWS service name (e.g., 's3', 'dynamodb')
        region: AWS region (optional, uses default if not specified)
        max_retries: Maximum retry attempts (default: 3)
        timeout: Connection timeout in seconds (default: 10)
        profile: AWS profile name (optional)
    
    Returns:
        Configured boto3 client
    """
    # Build custom configuration
    config = Config(
        retries={
            'max_attempts': max_retries,
            'mode': 'adaptive'  # Adaptive retry mode
        },
        connect_timeout=timeout,
        read_timeout=timeout * 3,  # Read timeout is typically longer
        max_pool_connections=25  # Connection pool size
    )
    
    # Create session
    session_kwargs = {}
    if profile:
        session_kwargs['profile_name'] = profile
    if region:
        session_kwargs['region_name'] = region
    
    session = boto3.Session(**session_kwargs)
    
    # Create and return client
    return session.client(service, config=config)

# Test the factory
s3 = create_client('s3', region='us-west-2', max_retries=5)
dynamodb = create_client('dynamodb', region='us-east-1', timeout=15)

print(f"S3 client created: {type(s3)}")
print(f"DynamoDB client created: {type(dynamodb)}")
```
</details>

### Exercise 5: Credential Rotation Checker

Create a function that checks when AWS access keys were last rotated (would require actual AWS access to fully work).

In [None]:
# Exercise 5: Your code here
from datetime import datetime, timedelta
from typing import Dict, Any

def check_credential_age() -> Dict[str, Any]:
    """
    Check the age of AWS access keys.
    
    Returns:
        Dictionary with key age information and recommendations
    """
    # Your implementation here
    pass

# Test (will need actual AWS access)
# result = check_credential_age()
# print(result)

<details>
<summary>Click to see solution</summary>

```python
import boto3
from datetime import datetime, timedelta, timezone
from typing import Dict, Any, List
from botocore.exceptions import ClientError

def check_credential_age() -> Dict[str, Any]:
    """
    Check the age of AWS access keys.
    
    Returns:
        Dictionary with key age information and recommendations
    """
    result = {
        "status": "unknown",
        "user": None,
        "keys": [],
        "recommendations": []
    }
    
    try:
        # Get current identity
        sts = boto3.client('sts')
        identity = sts.get_caller_identity()
        result["user"] = identity['Arn']
        
        # Check if we're using IAM user credentials
        if ':user/' in identity['Arn']:
            username = identity['Arn'].split('/')[-1]
            
            # Get access key information
            iam = boto3.client('iam')
            keys = iam.list_access_keys(UserName=username)
            
            now = datetime.now(timezone.utc)
            max_age_days = 90  # AWS best practice
            
            for key in keys['AccessKeyMetadata']:
                key_info = {
                    "key_id": key['AccessKeyId'][:8] + "...",
                    "status": key['Status'],
                    "created": key['CreateDate'].isoformat(),
                    "age_days": (now - key['CreateDate']).days
                }
                result["keys"].append(key_info)
                
                if key_info["age_days"] > max_age_days:
                    result["recommendations"].append(
                        f"Key {key_info['key_id']} is {key_info['age_days']} days old. "
                        f"Consider rotating (recommended: every {max_age_days} days)"
                    )
            
            if len(result["keys"]) > 1:
                result["recommendations"].append(
                    "Multiple active keys detected. Consider using only one."
                )
            
            result["status"] = "checked"
            
        else:
            result["status"] = "role_credentials"
            result["recommendations"].append(
                "Using assumed role credentials - no key rotation needed"
            )
            
    except ClientError as e:
        result["status"] = "error"
        result["error"] = str(e)
        result["recommendations"].append(
            "Could not check key age - may lack IAM permissions"
        )
    except Exception as e:
        result["status"] = "error"
        result["error"] = str(e)
    
    return result

# Test
print("Checking credential age...")
try:
    result = check_credential_age()
    print(f"Status: {result['status']}")
    print(f"User: {result['user']}")
    for key in result['keys']:
        print(f"Key: {key['key_id']} - Age: {key['age_days']} days")
    for rec in result['recommendations']:
        print(f"Recommendation: {rec}")
except Exception as e:
    print(f"Could not check (expected without AWS access): {e}")
```
</details>

---

## Summary

In this notebook, we covered:

1. **AWS Account Basics**
   - Account structure and organization
   - Regions and Availability Zones
   - Global vs regional services

2. **IAM Fundamentals**
   - Users, Groups, Roles, and Policies
   - Policy structure and syntax
   - Security best practices

3. **Credentials Configuration**
   - Credentials file setup
   - Environment variables
   - Authentication methods

4. **Boto3 Setup**
   - Installation and verification
   - Client vs Resource API
   - Sessions and configuration

### Key Takeaways

- **Never hardcode credentials** in your code
- **Use IAM roles** when running on AWS infrastructure
- **Follow least privilege** principle for permissions
- **Use sessions** to manage different environments
- **Configure retries** for production resilience

### AWS Cost Warning

> **Important**: AWS services can incur costs. Always:
> - Use free tier when learning
> - Set up billing alerts
> - Clean up resources after testing
> - Check pricing before provisioning

---

## Next Steps

Continue to [02_s3_operations.ipynb](02_s3_operations.ipynb) to learn about Amazon S3 operations including:
- Creating and managing buckets
- Uploading and downloading files
- Listing objects and managing permissions
- Generating presigned URLs