Building an Order System with Microservices, Lambda, and CloudFormation.
About this module
The starting point of the project. Here you'll understand what will be built, learn the fundamental AWS concepts, and prepare your environment for the modules ahead.
Level: AWS beginner · Estimated duration: 2-3 hours
00. Table of contents
01. Welcome
Before anything else, it's important that you understand what kind of journey you're getting into. This is not a theoretical certification course. It's a building course: you'll walk away with a working system running on AWS, provisioned by code, with microservices communicating with one another, serverless functions processing events, and fully reproducible infrastructure.
What to expect from the material
Each module follows the same format: it starts with the theory you need to understand why the decisions are being made, moves on to the hands-on part (what you need to do), and ends with exercises. The exercises are not optional — they're where the learning really sticks.
You'll notice that the PDFs don't hand you ready-made code for the business rules. This is intentional. The goal here is for you to develop the system, not to copy and paste a repository. When code does appear, it will only be to illustrate a configuration, a parameter, or a snippet with important nuance.
How to study with this material
A few practical recommendations for getting the most out of each module:
02. Project overview
We're going to build an order processing system — a lean version of what runs behind the scenes of any e-commerce store. The goal isn't to be a complete, production-ready system, but rather a scenario rich enough to force the correct use of each AWS service we'll study.
The system's components
Three independent microservices, each with a clear responsibility:
Beyond the microservices, we'll have a set of Lambda functions handling event-driven tasks: sending confirmation emails, generating daily reports, and processing product images.
High-level diagram
The complete flow of an order follows the path below. Don't worry if some services don't make sense yet — we'll break down each one in the following modules.
Figure 1 — High-level view of the architecture.
What this architecture is exercising
03. Why these services?
AWS has more than 200 services. Why Beanstalk, Lambda, and CloudFormation in particular? The answer has to do with covering a full spectrum of computing and operational models — not with learning tools in isolation.
Elastic Beanstalk
The managed middle ground
Beanstalk is a service that abstracts away the complexity of deploying a traditional application on AWS. You hand over the code, and it takes care of provisioning EC2, Load Balancer, Auto Scaling, monitoring, and deployment. It's the kind of service you use when you have an application that needs to be always on, with reasonably constant traffic.
For our microservices (Orders, Inventory, Payments), Beanstalk makes sense because they're services that receive requests continuously and need low latency — you can't afford a cold start on every call.
Lambda
Event-driven serverless
Lambda is the opposite of Beanstalk in philosophy. You don't think about servers: you write a function, it runs in response to an event (a message in a queue, a file in S3, a schedule), and you pay only for execution time.
It works perfectly for tasks that don't happen all the time: sending an email when an order is paid, generating a report once a day, processing an image when it's uploaded. Paying for an EC2 instance running 24 hours for tasks like these would be a waste.
CloudFormation
Infrastructure as code
CloudFormation is the service that ties everything together. Instead of clicking around the console to create a VPC, security groups, database, queues, and Beanstalk environments, you describe all the infrastructure in YAML files and CloudFormation takes care of creating, updating, and destroying the resources.
This is the service that will set you apart the most from people who only know how to use AWS through the console. Knowing how to write CloudFormation templates is what separates a casual user from an AWS engineer.
04. AWS in 10 minutes
This section is a flyover. Don't worry about memorizing anything — the goal is for you to get familiar with the vocabulary and have a mental model before you start clicking.
What is AWS?
Amazon Web Services is Amazon's cloud computing offering. In practical terms: you rent computing capacity (servers, databases, networks, storage) on demand, without having to buy hardware. You pay for what you use, and resources can be provisioned in minutes via API or console.
Service models
AWS services fall into a few models. Being able to identify each service's model helps you understand what to expect from it:
Regions and Availability Zones
AWS is organized into geographic regions (São Paulo, North Virginia, Frankfurt, etc.). Each region is physically separated from the others and has several availability zones (AZs), which are independent datacenters within the same region.
You always choose the region where your resources will live. For this course, we'll use us-east-1 (North Virginia), which is the region with the most services, generally the cheapest, and where most documentation is based.
05. Fundamental concepts
The concepts below appear in every one of the following modules. If they feel confusing now, come back and reread this section whenever you need to.
IAM: the permissions system
IAM (Identity and Access Management) is the service that controls who can do what on AWS. Everything goes through IAM: users, services, scripts. Understanding IAM is mandatory, and the most frustrating errors you'll run into during the course will probably be permission errors.
Fundamental principle: least privilege
Always grant the least permission necessary. It's tempting (and unfortunately common) to attach the AdministratorAccess policy to everything just to "make it work." Don't. In the project we'll write specific policies, and that's a central part of the learning.
Console, CLI, and SDK
There are three main ways to interact with AWS:
Resources, ARNs, and tags
Everything on AWS is a resource — a queue, a function, a bucket. Each resource has a unique identifier called an ARN (Amazon Resource Name). The ARN follows a fixed pattern:
arn:aws:<service>:<region>:<account>:<resource>
# Examples:
arn:aws:sqs:us-east-1:123456789012:orders-queue
arn:aws:lambda:us-east-1:123456789012:function:send-email
arn:aws:dynamodb:us-east-1:123456789012:table/OrdersARNs show up in IAM policies, in references between services, in error logs — get used to reading them. You'll be writing and referencing them a lot.
Tags are key-value pairs you attach to resources to organize them. We'll tag everything in the project (for example, Project=order-system, Environment=dev) — this makes it easy to find and, most importantly, delete everything at the end.
06. Costs: what to expect
Let's talk about money frankly, because it's the biggest source of anxiety for beginners — and also the biggest source of nasty surprises.
Free Tier
AWS offers a free usage tier (Free Tier) during the first 12 months after you create the account. It includes, among other things:
For a course like this one, with moderate usage, it's perfectly possible to stay within the Free Tier throughout the entire project. But there are traps.
The main billing risks
Setting up billing alerts
Even with care, set up alerts. You don't have an account created at this point yet, but keep this in mind to do right after creating it (in section 7):
07. Preparing your environment
Time to get your hands dirty. This section has five parts: creating the AWS account, configuring the IAM user, installing the AWS CLI, installing Node.js, and installing the auxiliary tools.
7.1 — Creating your AWS account
Go to aws.amazon.com and click Create an AWS Account. You'll need:
At the end of the process, choose the Basic Support — Free plan.
7.2 — Creating your working IAM user
Instead of using the root, we'll create a specific IAM user for the course. Log in as root, go to the IAM service, and follow along:
7.3 — Generating access keys for the CLI
Still within the user you created, go to the Security credentials tab and, under Access keys, click Create access key. Choose the Command Line Interface (CLI) use case, confirm the warning, and generate.
7.4 — Installing the AWS CLI
The AWS CLI v2 is what you'll use to configure credentials and make administrative calls. Installation:
# Linux (x86_64):
curl 'https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip' -o awscli.zip
unzip awscli.zip
sudo ./aws/install
# macOS (with Homebrew):
brew install awscli
# Windows: download the MSI installer at
# https://awscli.amazonaws.com/AWSCLIV2.msiVerify the installation:
aws --version
# expected output: aws-cli/2.x.x Python/3.x.x ...Now configure the profile. Use the access keys generated in 7.3:
aws configure --profile aws-curso
AWS Access Key ID: [paste your access key]
AWS Secret Access Key: [paste your secret]
Default region name: us-east-1
Default output format: jsonAbout the --profile parameter: it creates a named profile instead of overwriting the default. Good practice — one day you'll have more than one AWS account on your machine. To use the profile, export the environment variable:
# Linux/macOS:
export AWS_PROFILE=aws-curso
# Windows (PowerShell):
$env:AWS_PROFILE='aws-curso'7.5 — Installing Node.js
The microservices will be written in Node.js. I recommend the current LTS version. The most flexible way to manage versions is using nvm:
# Linux/macOS:
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
# reopen the terminal and:
nvm install --lts
nvm use --lts
node --version # expected: v20.x.x or higher
npm --version7.6 — Auxiliary tools
08. Verifying that everything works
Before moving on to module 1, let's run three quick checks to make sure your environment is ready.
Check 1 — CLI identity
The get-caller-identity command returns the identity being used — if it responds, your authentication is correct:
aws sts get-caller-identity --profile aws-curso
# expected output (JSON):
{
"UserId": "AIDAxxxxxxxxxxxxxxxxx",
"Account": "123456789012",
"Arn": "arn:aws:iam::123456789012:user/otavio-dev"
}Check 2 — List regions
This command confirms that you can call authenticated APIs:
aws ec2 describe-regions --profile aws-curso --output tableYou should see a table with several regions. If you get UnauthorizedOperation, review the user's policy. If you get InvalidClientTokenId, your access keys are wrong.
Check 3 — Node.js + AWS SDK
Create a test folder and install the SDK:
mkdir teste-aws && cd teste-aws
npm init -y
npm install @aws-sdk/client-stsCreate a teste.js file with a script that calls the same API via the SDK:
// teste.js
import { STSClient, GetCallerIdentityCommand }
from '@aws-sdk/client-sts';
const client = new STSClient({ region: 'us-east-1' });
const result = await client.send(new GetCallerIdentityCommand({}));
console.log(result);Add "type": "module" to the package.json and run:
AWS_PROFILE=aws-curso node teste.js09. Practice exercises
The exercises below don't require any new code — they're all about exploring the console and the CLI. The goal is for you to gain familiarity before you start building.
Explore the console and identify services
Log in to the console with your otavio-dev user. In the search bar at the top, look for the services we'll be using: Elastic Beanstalk, Lambda, CloudFormation, SNS, SQS, DynamoDB, IAM, and CloudWatch. Open each one and pin them as favorites in the sidebar. Take note: which service did you find most intuitive? And the least?
Configure billing alerts
Enable billing alerts following the steps in section 6. Create at least one CloudWatch alarm for US$ 5 and confirm the subscription email on the SNS topic. Take a screenshot of the created alarm for your future reference.
Create and destroy your first resource
Through the console, create an S3 bucket with any unique name (e.g., otavio-teste-2026-aws-curso). Upload any text file. Then delete the file and the bucket. This exercise trains the create-use-destroy cycle. Bonus: redo the exercise via the CLI with aws s3 mb, aws s3 cp, and aws s3 rb.
Investigate an IAM policy
Go to IAM > Policies and search for AmazonS3ReadOnlyAccess. Open it and read the JSON. Without memorizing anything, try to identify: which actions does it allow? on which resources? why is it safe as "read-only"? Write down your conclusions — we'll come back to this topic in more depth.
Written reflection (no AWS)
Write, in free-form text (5 to 10 lines), in your own words: when would you use Beanstalk instead of Lambda, and vice versa? Don't consult the PDFs. Then reread section 3 and check whether your answer holds up.
10. Next steps
You've reached the end of module 0. This is the most "foundational" module of the course — everything from here on is concrete building.
What's coming up
Enjoy the journey. See you in Module 01.
