Overview
End-to-end Student System
This page bundles all design views used in class:
- UI – CRUD tab – Student list, add/update/delete, upload picture.
- API Design tab – REST endpoints, request/response JSON, picture upload flow using S3.
- RDS Schema tab –
studentstable withpicture_keystored in the database. - S3 & Lifecycle tab – How pictures are stored, Standard → IA → Glacier, and restore flow.
- VPC / ALB 3-Tier tab – Network & compute architecture for the API and database.
- Simulation Game (Exam) – Incident scenarios for CloudWatch, CloudTrail, S3 lifecycle & security.
UI – CRUD Design
Student Management UI (Wireframe)
A simple UI that sits on top of the API and RDS database.
- Top bar: module name, class, and environment (Dev / Test / Prod).
- Table of students:
id,name,email,course,picture, actions. - Buttons: Add Student, Refresh.
UI → API calls
- GET /students – Load all students.
- POST /students – Create student (JSON body, no picture yet or with picture key).
- PUT /students/<id> – Update student details.
- DELETE /students/<id> – Delete student (and optionally picture in S3).
- POST /students/<id>/picture – Upload picture:
- Front-end calls
POST /students/<id>/picture/presign. - API returns presigned URL for S3.
- Browser uploads file directly to S3.
- API stores
picture_keyin RDS.
- Front-end calls
API Design – with S3 picture
Core REST Endpoints
1. List & detail
GET /students
200 OK
[
{
"id": 1,
"name": "Alice",
"email": "alice@example.com",
"course": "DIT",
"picture_key": "students/1/profile.jpg",
"picture_url": "https://.../students/1/profile.jpg" // presigned or CloudFront URL
},
...
]GET /students/<id>
200 OK
{
"id": 1,
"name": "Alice",
"email": "alice@example.com",
"course": "DIT",
"picture_key": "students/1/profile.jpg"
}2. Create / Update / Delete
POST /students
Request:
{
"name": "Alice",
"email": "alice@example.com",
"course": "DIT"
}
Response 201:
{
"id": 1,
"name": "Alice",
"email": "alice@example.com",
"course": "DIT",
"picture_key": null
}PUT /students/<id>
Request:
{
"name": "Alice Tan",
"course": "DIT-SC"
}DELETE /students/<id>
- Marks student as deleted
- Optionally queues a task to delete picture from S33. Picture Upload – using S3 + picture_key in DB
Step 1 – Get presigned URL
POST /students/<id>/picture/presign
Request:
{
"contentType": "image/jpeg"
}
Server:
- Builds key: "students/<id>/profile.jpg"
- Stores/updates picture_key in DB
- Calls AWS SDK S3: getSignedUrl("putObject", ...)
Response:
{
"uploadUrl": "https://s3....",
"pictureKey": "students/<id>/profile.jpg"
}Step 2 – Front-end uploads directly to S3
PUT uploadUrl
Headers: Content-Type: image/jpeg
Body: binary image dataStep 3 – Get picture for UI
When UI calls GET /students, backend can:
- Return the raw
picture_keyonly, and front-end calls another API to get a presignedGETURL. - Or generate a short-lived
picture_urlin the list response.
RDS Schema
MySQL / MariaDB – students table
CREATE TABLE students (
id INT AUTO_INCREMENT PRIMARY KEY,
name VARCHAR(100) NOT NULL,
email VARCHAR(150) NOT NULL UNIQUE,
course VARCHAR(50) NOT NULL,
picture_key VARCHAR(255) NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP
);picture_keystores the S3 object key (e.g.students/1/profile.jpg).- The actual picture file is stored in S3, not in the database.
- If lifecycle moves object to Glacier,
picture_keystill remains the same.
Sample data
INSERT INTO students (name, email, course, picture_key) VALUES
('Alice', 'alice@example.com', 'DIT', 'students/1/profile.jpg'),
('Ben', 'ben@example.com', 'DIT-SC', 'students/2/profile.png'),
('Cara', 'cara@example.com', 'DFI', NULL); S3 & Lifecycle
S3 Bucket for Student Pictures
- Bucket:
sp-students-pictures-<env> - Folder structure:
students/<id>/profile.jpgstudents/<id>/history/...
- Access via:
- Presigned URLs (GET & PUT) from the API.
- CloudFront distribution (optional) for faster delivery.
Lifecycle Policy
- After 30 days – move from Standard to Standard-IA.
- After 365 days – transition to Glacier Instant Retrieval or Glacier Deep Archive.
- Optional: expire objects after X years for alumni.
Rule: "student-pictures-lifecycle"
Filter: prefix = "students/"
Transitions:
- Days: 30, StorageClass: STANDARD_IA
- Days: 365, StorageClass: GLACIER_IRImportant: When object is in Glacier, direct GET may return InvalidObjectState. Application must:
- Call
restoreObjectfirst (or handle restore via EventBridge + Lambda). - Show "restoring picture..." in UI.
VPC / ALB / 3-Tier
3-Tier Network Architecture
- VPC with public and private subnets across 2 AZs.
- Public subnets: ALB.
- Private subnets: EC2 app instances + RDS.
- S3 accessed over public endpoint or VPC endpoint.
High-level flow
- Student → Internet → ALB (HTTPS).
- ALB → App EC2 → RDS (for metadata & picture_key).
- App EC2 → S3 (Get/Put object) using IAM role.
- CloudWatch + CloudTrail log metrics and API calls.
- EventBridge reacts to lifecycle or security events.
Simulation Game v3 – Exam Mode (Three-panel)
Left: incident scenario • Middle: 3-tier diagram • Right: remediation choices. Practice mode = unlimited tries; Exam mode = max 3 mistakes.
Exam HUD
Mode:Practice Level:1 / 5 Score:0 / 100 Mistakes (exam):0 / 3
3-Tier Request Path
ALB (public) – receives HTTPS from students↓ forwards to
App tier (EC2 / containers) – student API + presigned URL logic
↙ DB queries
RDS – student records, picture_key, status↘ object access
S3 – student pictures (Standard / IA / Glacier)🪵 monitoring + events
CloudWatch / CloudTrail / EventBridge – metrics, logs, lifecycle events CloudWatch · CloudTrail – Monitoring & Logging Lab
Use this mini-simulator to see how CloudWatch and CloudTrail observe your Student System: CRUD API calls, RDS performance and S3 photo uploads.
Architecture View
Run Monitoring Simulation
Tip for exam: use CloudWatch for metrics/alarms/logs (CPU, latency, error rate, custom app logs) and CloudTrail for who-did-what API calls across EC2, RDS, S3 and IAM.