We build things and write about it
KKloud Tarus is a small team of engineers and creators who love turning ideas into real things. We share what we learn along the way.
Recent Writing

From Messy Bank Statements to AI Insights in 48h: An AWS-Native AI Money Coach System Design
The real-world AWS architecture story behind BudgetBot, an AI Money Coach for Vietnamese users: upload a statement or payment screenshot and the AI auto-classifies transactions, computes budgets, and advises spending. Async pipeline, 4-level deduplication, ~$30/month cost optimization, and financial-data security.

AWS-native Observability for EC2 with the CloudWatch Agent
A hands-on lab building an observability pipeline for EC2 with the CloudWatch Agent, CloudWatch Logs, CloudWatch Metrics, Alarms, SNS email and a Dashboard, across two real cases: installing the agent on an existing EC2 instance, and bootstrapping the agent at launch time on a brand-new one.
Things GitHub Actions Tutorials Tend to Skip
After Part 1's first pipeline, this article covers 9 things basic CI/CD tutorials skip about GitHub Actions: concurrency control (with the github.ref gotcha), the branch rule for reading YAML on external events, the workflow_* family (dispatch, call, run — with the head_sha gotcha), cache dependencies, matrix strategy, Docker Hub instead of building on the server, GITHUB_TOKEN permissions, OIDC for AWS (no more long-lived SSH keys), and environment + required reviewers.
Popular posts
Infrastructure as Code, What Terraform Is, and Getting to Know the CLI
The series opener: why managing infrastructure by hand eventually breaks, what Infrastructure as Code solves, and where Terraform fits in that picture. We dissect the core and provider architecture, install Terraform 1.15, and tour the main CLI commands.
Things GitHub Actions Tutorials Tend to Skip
After Part 1's first pipeline, this article covers 9 things basic CI/CD tutorials skip about GitHub Actions: concurrency control (with the github.ref gotcha), the branch rule for reading YAML on external events, the workflow_* family (dispatch, call, run — with the head_sha gotcha), cache dependencies, matrix strategy, Docker Hub instead of building on the server, GITHUB_TOKEN permissions, OIDC for AWS (no more long-lived SSH keys), and environment + required reviewers.
Provider, Your First Resource, and the init plan apply destroy Lifecycle
Stand up your first real AWS resource: declare a provider and pin its version, create an S3 bucket, then walk the full init → plan → apply → destroy cycle. What each command does inside, why plan writes 'known after apply', what state stores, and why a second apply creates nothing new.
Series
CI/CD with GitHub Actions for Newbies
A two-part series for beginners: start with CI/CD fundamentals through a first-hand pipeline that deploys a React + Node.js web app to AWS EC2 with Docker, then dive into the things basic GitHub Actions tutorials tend to skip — concurrency, the branch rule for reading YAML, the workflow_* family, dependency caching, matrix, Docker Hub instead of building on the server, GITHUB_TOKEN permissions, OIDC to retire long-lived credentials, and environment + approval gates.
2 parts→
AWS Monthly: What's New + Hands-On
A recurring digest of what AWS just shipped: filtering for the most notable new features and services, explaining why they are worth watching, and actually trying out the ones that are testable. Every item is grounded in the official AWS documentation, with demos run for real on a real account and then torn down. Demo code at github.com/nghiadaulau/aws-whats-new-demos.
1 part→
Serverless in Practice on AWS: URL Shortener + Realtime Analytics
Build a complete serverless product on AWS from scratch: a URL shortening service with realtime analytics. The series does not teach each service in isolation; it builds one production-ready backend end to end — Lambda, API Gateway, DynamoDB single-table, Cognito, EventBridge, Step Functions, WebSocket API — then operates it for real: idempotency, DLQ, X-Ray tracing, cold start, IAM least-privilege, CI/CD canary, cost analysis and load testing. All infrastructure is built with AWS SAM, code in Node.js + TypeScript, every command run for real on AWS, code at github.com/nghiadaulau/serverless-url-shortener-aws. Grounded in the official AWS documentation.
21 parts→
The Team Behind KKloud Tarus
Engineers, creators, and problem solvers.