The Threat: GitHub Credential Leaks.

Hardcoding AWS Programmatic Access Keys in configuration files (.env) or repository codebases leaves system networks fully vulnerable to malicious automated scanning bots.

• Access Key Static Vulnerability: Keys remain valid forever unless manually rotated. If leaked, unauthorized parties control your system endpoints.
• The Modern Enterprise Fix: Standardize on temporary token delegation via IAM Roles and machine-level instance profiles.
• Secret Management Principle: Applications must never store raw AWS credentials locally inside memory disks.

IAM Roles for EC2 (Instance Profiles).

• Role Abstraction: An IAM Role is an identity with custom permission rules that can be assumed temporarily by an AWS compute resource.
• Trust Boundaries: Configure a trust policy authorizing EC2 to assume the role.
• Dynamic Credentials: AWS handles generating, injecting, and rotating the cryptographic tokens automatically every few hours.

How Servers Fetch Their Own Credentials.

The AWS SDK running in your application code queries a local, non-routable link-local IP address to get credentials.

• Non-Routable: Traffic remains strictly within the virtualization card layer of that physical host. It cannot leave the server boundary.
• Auto-Discovery: SDKs automatically search this path if local environment variable credentials do not exist.

The Baseline Test: Network Isolation.

We must prove our compute resource has absolutely no default access permissions to other AWS services before we assign our trust parameters.

• 1️⃣ Connect to your running EC2 machine via SSH or EC2 Instance Connect.
• 2️⃣ Run the S3 list query directly: aws s3 ls.
• 3️⃣ Observe the standard AWS API error: "Unable to locate credentials". This proves local storage is private.

The Enterprise Fix: Delegate Machine Trust.

• 1️⃣ Open your **IAM Console**. Create a role with a trust relationship targeting Amazon EC2.
• 2️⃣ Attach the managed policy AmazonS3ReadOnlyAccess to this IAM Role.
• 3️⃣ Navigate back to your EC2 console, select your instance, and attach this role to the **Instance Profile**.
• 4️⃣ Re-run aws s3 ls. The bucket lists succeed instantly without configuring keys!

Running the Programmatic Image Uploader.

Let's verify that our software code inherits this temporary machine-level authentication configuration natively.

• 1️⃣ Clone our pre-built image uploader repository directly onto your EC2 machine.
• 2️⃣ Run the app using your installed runtime: bun start or npm start.
• 3️⃣ Open the local server port. Try uploading an image file from your web browser.
• 4️⃣ Verify that the file lands securely inside your private S3 bucket without any hardcoded secret keys!

The 3-Tier Enterprise Web Production Architecture:

From Manual Clicks to Automation Codebases.

Manual server configurations do not scale in enterprise operations. The modern DevOps paradigm standardizes on programmatic definitions.

• Infrastructure as Code (IaC): Define entire cloud networks, security policies, and storage pools using declaration codes (Terraform/CloudFormation).
• Consistency: Deploy identical environments (Dev/Staging/Production) with the exact same script configurations.
• GitOps Integration: Version control your infrastructure resources using Git repositories.

Your Professional Credibility Roadmap:

• 1. Foundational (AWS Cloud Practitioner): The primary entry point. Verifies core cloud concepts and AWS pricing models.
• 2. Associate (Solutions Architect / Developer / SysOps): The baseline benchmark of professional systems engineering.
• 3. Professional & Specialty: Focuses on deep architectural design, security, networking, or machine learning engineering.

The Demand: Extreme Cloud Talent Shortage.

Standard programming skills are common. System engineers who understand cloud perimeters, secure delegation, and continuous deployment are rare and highly compensated.

• Local Market Trends: Nepal's enterprise sectors (banks, telecommunications, outsourcing agencies) are actively migrating to cloud models.
• Remote Opportunities: International companies heavily recruit remote cloud engineers on global pay rates if they can prove automated execution capabilities.

How to Get Noticed by Global Recruiters:

• The Code Portfolio: Certifications prove study; GitHub repositories prove execution. Host clean Terraform configurations.
• Real Project Scenarios: Document projects like "High-Availability Multi-AZ Web Fleets on AWS" or "Secure Serverless Frontends on S3."
• Technical Writing: Write brief technical guides on your setups (Medium/LinkedIn) to prove you can communicate complex architecture.

Keep Your Account Safe & Within Free Tier limits.

• Compute Cleanup: Select all sandbox EC2 instances inside your console window and trigger **Terminate**.
• Storage Deletion: Empty your unique S3 buckets, then delete the containers completely.
• Security Group Policies: Delete custom inbound rule associations if they are no longer required.