Skip to main content

Cloud Katas

Focused, repeatable drills to build fluency. Each kata is 15-25 minutes and should be redone until it feels automatic.

Kata 1: Draft an IAM Policy for a Hypothetical S3 Bucket and Two Roles

Time limit: 20 minutes Goal: produce a minimal, defensible IAM policy set from a one-sentence requirement Setup: you own a bucket acme-reports-prod. Two principals need access: a reader-role that reads any object, and a writer-role that puts objects only under incoming/ prefix and cannot delete.

Produce:

  • identity-based policy for reader-role (read-only on that bucket)
  • identity-based policy for writer-role (put on incoming/*, no delete)
  • a bucket policy that enforces TLS (aws:SecureTransport = true) and denies unencrypted PUTs (s3:x-amz-server-side-encryption required)

Repeat until: you can write all three policies in under ten minutes without looking up Action names.

Kata 2: Design a VPC Layout for a 3-Tier App

Time limit: 20 minutes Goal: produce a VPC diagram in text/ASCII that an engineer could implement in Terraform Setup: 3-tier web app (web, app, database), three AZs, 10000 requests/day expected, global users, prod environment.

Produce:

  • VPC CIDR
  • subnet CIDRs (public, private-app, private-data × 3 AZs)
  • route table contents for each subnet class
  • NAT Gateway placement
  • load-balancer type and where it lives
  • security-group relationships (sg-alb -> sg-app -> sg-db) with specific ports

Repeat until: you can produce a complete, consistent VPC plan in under twelve minutes from memory.

Kata 3: Pick VM vs Container vs Serverless for Four Scenarios

Time limit: 15 minutes Goal: produce a defensible compute choice plus one rejected alternative per scenario

Scenarios:

  1. Nightly ETL job - reads 50 GB from S3, joins, writes to a warehouse; runs ~1 hour.
  2. Internal JSON API with ~30 RPS, spiky; 100 ms p99 budget.
  3. Real-time video-transcoding service at 2-20 min per job; steady 60 jobs/hour.
  4. Long-lived stateful game-session server with persistent TCP connections.

For each: compute primitive, sizing/config summary, one rejected alternative with its blocking constraint.

Repeat until: your choices are stable across attempts and you can articulate the primary constraint in one sentence per scenario.

Kata 4: Produce a Landing-Zone Diagram

Time limit: 25 minutes Goal: sketch an organization layout suitable for a 50-engineer company Setup: 5 product teams, 3 environments per team (dev, staging, prod), one shared data platform.

Produce:

  • OU hierarchy with named OUs
  • account list by OU (core accounts + per-team accounts)
  • two SCPs with their purpose (one example: deny actions in non-approved regions; one example: deny creation of long-lived IAM users in production OU)
  • baseline items every account inherits (CloudTrail, VPC, SSO integration, tagging policy)
  • one paragraph stating what this structure makes easy and one thing it makes harder

Repeat until: you can draw and name every account, OU, and guardrail in under fifteen minutes.

Completion Standard

  • Can complete each kata within its time limit without reference material
  • Can explain the core technique of each kata in one paragraph
  • Can produce all four artifacts end-to-end in one sitting (90 minutes or less) with consistent quality