☁ AWS Certified

SAA-C03 Cheatsheet

Solutions Architect Associate · Exam-day quick reference & mindset guide

65 questions
130 minutes
720 / 1000 to pass
🎯
The Architect Frame

Design for the customer. Always balance cost, resilience, performance, and security - pick the right tradeoff for the scenario given.

📐
Well-Architected Pillars

Operational Excellence · Security · Reliability · Performance Efficiency · Cost Optimization · Sustainability

💡
Keyword Radar

"Highly available", "cost-effective", "least privilege", "serverless", "decoupled", "durable", "global" - each keyword eliminates wrong answers.

🚫
Eliminate First

Two answers are almost always obviously wrong. Cross them out, then compare the remaining two on the scenario's key constraint.

☁️
Default to Managed

AWS wants managed services. If you can replace EC2 + custom code with Lambda + SQS + RDS - do it.

🔁
Decouple Everything

Tight coupling = fragile. SQS, SNS, EventBridge, and Step Functions exist to break direct dependencies.

🔒
Least Privilege

Use IAM roles (not users), tightest possible policy, never store credentials in code - always.

💰
Cost Signals

Spot = fault-tolerant batch. Reserved = steady-state. Savings Plans = flexible. On-demand = short/unpredictable. Keep traffic in-region.

EC2 & Autoscaling
EC2
Instance types
T=burstable, C=compute, M=general, R=memory, G/P=GPU, I=NVMe, X=in-memory (SAP).
EC2
Placement groups
Cluster=low latency same AZ. Spread=max 7/AZ, fault isolation. Partition=Hadoop/Kafka.
EC2
ASG key concepts
Lifecycle hooks, warm pools, cooldown vs instance warmup. Target tracking = simplest policy.
Lambda
Lambda limits
15 min max, 10 GB RAM, 512 MB–10 GB /tmp. Provisioned concurrency = warm. Stateless.
Lambda
Lambda + VPC
Needed for private RDS/ElastiCache. Requires subnets + SG. Use RDS Proxy for pooling.
Containers
ECS vs EKS
ECS=AWS-native simple. EKS=Kubernetes. Fargate=serverless compute for both. ECR=registry.
Load Balancers
ALB
Application LB
Layer 7. Path/host routing, WebSockets. Best for microservices & containers.
NLB
Network LB
Layer 4. Ultra-low latency. Static/Elastic IP. TCP/UDP, gaming, real-time.
GLB
Gateway LB
Layer 3. 3rd-party appliances (firewalls, IDS). Uses GENEVE protocol.
S3
S3
Storage classes
Standard→IA→One-Zone-IA→Glacier Instant→Glacier Flexible→Deep Archive. Intelligent-Tiering for unpredictable access.
S3
Security
Block Public Access ON by default. Prefer bucket policies over ACLs. SSE-S3/KMS/C. Presigned URLs for time-limited access.
S3
Performance
3,500 PUT / 5,500 GET per prefix/sec. Multipart for >100 MB. Transfer Acceleration via CF edge.
S3
Replication
CRR=cross-region compliance/latency. SRR=same-region log aggregation. Versioning required on both buckets.
Block & File
EBS
Volume types
gp3=default (3k IOPS). io2 Block Express=256k IOPS. st1=throughput HDD. sc1=cold HDD.
EFS
Elastic File System
NFS, multi-AZ, Linux only. Standard vs IA tiers. Max I/O for big data. Bursting vs Provisioned throughput.
FSx
FSx flavors
Windows=SMB/AD. Lustre=HPC/ML+S3. NetApp ONTAP=multi-protocol. OpenZFS=Linux/Mac.
Storage GW
Storage Gateway
File GW (S3 NFS/SMB). Volume GW (iSCSI→EBS snapshots). Tape GW (virtual tape→Glacier).
VPC
VPC fundamentals
Public subnet=IGW route. Private subnet=NAT GW. CIDR can't overlap for peering.
VPC
SG vs NACLs
SG=stateful, instance-level, allow only. NACL=stateless, subnet-level, allow+deny. NACLs need both inbound+outbound rules.
Transit GW
Transit Gateway
Hub-and-spoke for many VPCs. Replaces full-mesh peering. Supports VPN+DX. Cross-region via peering.
PrivateLink
VPC PrivateLink
Expose services privately, no peering, no CIDR overlap issue. Interface endpoint (ENI in subnet).
Route 53
Routing policies
Simple·Weighted·Latency·Failover·Geolocation·Geoproximity·Multi-value. Failover needs health checks.
CloudFront
CloudFront CDN
400+ PoPs. OAC for S3 origin lock. Lambda@Edge & CF Functions. HTTPS default.
Connectivity
VPN vs Direct Connect
VPN=encrypted/internet/minutes. DX=dedicated fiber 1-100 Gbps/weeks. DX+VPN=encrypted DX.
Endpoints
VPC Endpoints
Gateway=S3&DynamoDB (free, route table). Interface=most services (cost, ENI+DNS).
RDS
RDS key concepts
Multi-AZ=synchronous standby HA (auto-failover). Read replica=async read scale. Automated backups & snapshots.
Aurora
Aurora
5× MySQL/3× Postgres perf. 6-way replication across 3 AZs. Serverless v2=auto-scale. Global DB=<1s RPO.
DynamoDB
DynamoDB
Single-digit ms at any scale. On-demand vs provisioned. DAX=cache. Global Tables=multi-region active-active.
ElastiCache
ElastiCache
Redis (cluster, persistence, pub/sub, sorted sets) vs Memcached (simple, multi-thread). Redis wins almost always.
Redshift
Redshift
Columnar data warehouse, petabyte-scale. Spectrum=query S3 directly. Not for OLTP.
Specialty
Specialty DBs
Neptune=graph. Keyspaces=Cassandra. Timestream=time-series. QLDB=ledger. DocumentDB=MongoDB.

Pick guide: relational → RDS/Aurora · key-value/scale → DynamoDB · cache → ElastiCache Redis · analytics → Redshift · MongoDB migration → DocumentDB

IAM
IAM fundamentals
Users→Groups→Policies. Roles for services & cross-account. Eval: explicit deny > allow > implicit deny.
IAM
SCP vs permissions
SCPs (AWS Orgs)=max permissions boundary for account. They restrict, they don't grant.
KMS
KMS
CMK=customer managed (audit, rotation). AWS managed=service default. CloudHSM=dedicated FIPS 140-2 L3.
Secrets
Secrets Manager vs SSM
Secrets Manager=auto-rotation, higher cost. SSM Parameter Store=cheaper, no auto-rotation.
Threat
GuardDuty/Inspector/Macie
GuardDuty=threat intel. Inspector=vuln scanning. Macie=PII in S3.
Edge
WAF / Shield / FMS
WAF=L7 rules on ALB/CF/API GW. Shield Standard=free DDoS. Shield Advanced=24/7 + cost protection.
Compliance
Config / CloudTrail
CloudTrail=who did what (API calls). Config=compliance rules & drift. Audit Manager=evidence.
Network
Network Firewall
Stateful+stateless rules at VPC perimeter. Pair with GLB for 3rd-party NVAs.
Q: High availability for RDS?
Multi-AZ, not read replica. Read replicas don't auto-failover - read performance only.
Q: S3 Block Public Access ON but presigned URL needed?
Presigned URLs work with Block Public Access ON. They use the issuer's credentials.
Q: Lambda needs private RDS access?
Put Lambda in a VPC. Use RDS Proxy for connection pooling.
Q: Cross-account S3 access?
Bucket policy + IAM role in target account. S3 Access Points for large-scale multi-account.
Q: Route 53 failover not switching?
→ Needs a health check attached. Without it, failover policy won't trigger.
Q: Decouple microservices?
SQS for async point-to-point. SNS for fan-out. EventBridge for rule-based routing.
Q: NACLs blocking even though SG allows?
→ NACLs are stateless. Allow both inbound and outbound including ephemeral ports 1024–65535.
Q: Cheapest storage for rare access?
S3 Glacier Deep Archive (~$1/TB/mo). One-Zone-IA is cheaper but no AZ fault tolerance.
Q: EC2 calls AWS APIs without storing keys?
IAM Role attached to instance (instance profile). Never put access keys on EC2.
Q: High IOPS OLTP database?
io2 EBS or Aurora. gp3 maxes at 16k IOPS. io2 goes to 64k+ (256k with Block Express).
Q: Geolocation vs Latency routing?
→ Geolocation=route by country/continent. Latency=route to lowest-latency region. Not the same.
Q: Cheapest DR strategy?
Backup & restore (RPO hours). Then: Pilot light → Warm standby → Multi-site = increasing cost & speed.
30%
Secure architectures
26%
Resilient architectures
24%
High-performance
20%
Cost-optimized
Read every question twice. Identify the ONE key constraint (cost? HA? latency? compliance?) - it's the decision pivot.
Eliminate obviously wrong answers first. Usually 2 of 4 go in 10 seconds - debate the remaining two.
"Most cost-effective" = serverless, Spot, or lowest storage tier that still meets the SLA.
"Least operational overhead" = managed service (RDS over DIY MySQL, SQS over RabbitMQ).
"Millions of users" + "unpredictable traffic" → DynamoDB + Lambda + API Gateway is often right.
Hybrid/on-prem: Storage Gateway for files, Direct Connect for dedicated bandwidth, VPN for quick setup.
Multi-AZ = availability/failover. Multi-region = DR + global latency. Don't confuse them.
Flag hard questions and move on. 130 min ÷ 65 = 2 min/question. Don't sink 10 min on one.
Passing = 720/1000 (~72%). Don't aim for perfection - aim to eliminate wrong answers confidently.
Trust your gut. Statistically, changing initial answers reduces score more often than it helps.

📚 AWS Services by Topic

Key services, descriptions, and exam decision tips grouped by domain

🗄️
Database
Relational, NoSQL, in-memory, and specialty databases
RDS
Relational DB Service
Managed MySQL, PostgreSQL, MariaDB, Oracle, SQL Server. Multi-AZ for HA (synchronous standby + auto-failover). Read replicas for async read scaling. Automated backups up to 35 days.
Aurora
Amazon Aurora
MySQL/PostgreSQL-compatible, 5×/3× faster. Storage auto-scales to 128 TB. 6-way replication across 3 AZs. Aurora Serverless v2 scales in fine-grained increments. Global Database: cross-region <1s RPO.
DynamoDB
DynamoDB
Serverless NoSQL key-value/document store. Single-digit ms latency at any scale. On-demand or provisioned capacity. DAX = in-memory cache. Streams for event-driven patterns. Global Tables = multi-region active-active.
ElastiCache
ElastiCache
Redis: cluster mode, persistence, pub/sub, sorted sets, Lua scripts. Memcached: simpler, multi-threaded. Use for session store, leaderboard, real-time caching in front of RDS/Aurora.
Neptune
Amazon Neptune
Managed graph database. Supports Gremlin (property graph) and SPARQL (RDF). Use for social networks, fraud detection, recommendation engines, knowledge graphs.
DocumentDB
DocumentDB
MongoDB-compatible managed document DB. Use when migrating MongoDB workloads to AWS. API compatible but not a true MongoDB fork.
QLDB
Quantum Ledger DB
Immutable, cryptographically verifiable transaction log. Use for financial records, supply chain, or anywhere you need an unalterable auditable history.
⚡ Exam Decision Tips
  • Need HA for relational DB → Multi-AZ RDS (not read replica)
  • Massive scale + key-value → DynamoDB
  • Caching in front of DB → ElastiCache Redis
  • Migrate MongoDB → DocumentDB
  • Graph relationships → Neptune
  • Immutable audit trail → QLDB
  • Serverless MySQL/Postgres with auto-scale → Aurora Serverless v2
📊
Data & Analytics
Data warehousing, streaming, ETL, and big data processing
Redshift
Amazon Redshift
Columnar data warehouse for OLAP. Petabyte-scale. Redshift Spectrum queries S3 directly without loading data. RA3 nodes decouple compute from storage. Concurrency Scaling for burst queries.
Athena
Amazon Athena
Serverless SQL query engine for S3. Pay per query (per TB scanned). Use Parquet/ORC formats to cut costs dramatically. Works with Glue Data Catalog. No infrastructure to manage.
Glue
AWS Glue
Serverless ETL service. Glue Crawlers discover and catalog data automatically. Data Catalog = central metadata repo. Glue Studio = visual ETL. DataBrew = no-code data preparation.
Kinesis
Amazon Kinesis
Data Streams: real-time ingestion, replay, ordered per shard. Firehose: serverless delivery to S3/Redshift/OpenSearch, near-real-time, no code. Data Analytics: SQL/Apache Flink on streams.
MSK
Amazon MSK
Managed Apache Kafka. Use when you need native Kafka APIs or existing Kafka ecosystem. MSK Serverless = no capacity planning needed.
EMR
Amazon EMR
Managed Hadoop/Spark/Hive/Presto clusters. Use for large-scale batch data processing, ML feature engineering, log analysis. Use Spot instances for cost savings.
QuickSight
Amazon QuickSight
Serverless BI and visualization. SPICE = in-memory engine for fast queries. ML Insights for anomaly detection. Embed dashboards into applications.
⚡ Exam Decision Tips
  • Ad-hoc SQL on S3 → Athena (no infra, pay per query)
  • Real-time streaming ingestion → Kinesis Data Streams
  • Stream to S3/Redshift without code → Kinesis Firehose
  • ETL pipeline + data catalog → Glue
  • Existing Kafka workload → MSK
  • Large-scale Spark batch jobs → EMR
  • BI dashboards for business users → QuickSight
🤖
Machine Learning
AI/ML services - know which service fits which use case
SageMaker
Amazon SageMaker
End-to-end ML platform: build, train, deploy. Studio = IDE. Pipelines = MLOps. Ground Truth = data labeling. Feature Store = ML feature management. Autopilot = AutoML with no code.
Rekognition
Amazon Rekognition
Computer vision API. Image/video: object detection, facial recognition, content moderation, text in images, PPE detection. No ML expertise needed - API-based.
Comprehend
Amazon Comprehend
NLP service. Sentiment analysis, entity recognition, language detection, key phrase extraction, topic modeling. Comprehend Medical for clinical text extraction.
Transcribe / Polly
Speech services
Transcribe: speech-to-text with speaker identification, custom vocabulary, real-time streaming. Polly: text-to-speech with neural TTS voices and SSML control.
Textract
Amazon Textract
Extract text and structured data from scanned documents (PDFs, images). Understands forms and tables - beyond simple OCR, it recognizes document structure.
Kendra
Amazon Kendra
Intelligent enterprise search powered by NLP. Searches across unstructured documents in S3, SharePoint, Salesforce, ServiceNow. Use for internal knowledge base search.
Forecast
Amazon Forecast
Time-series forecasting using the same tech as Amazon.com. Demand forecasting, inventory planning, resource planning. No ML experience required.
⚡ Exam Decision Tips
  • Custom ML model training/deployment → SageMaker
  • Image/video analysis → Rekognition
  • Text sentiment / entity extraction → Comprehend
  • Voice to text → Transcribe · Text to voice → Polly
  • Extract data from scanned documents → Textract
  • Enterprise document search → Kendra
  • Time-series demand forecasting → Forecast
📋
Audit & Logs
Who did what, when, and what changed
CloudTrail
AWS CloudTrail
Logs every API call made in your account (who, what, when, from where). Management events vs Data events (S3 object ops, Lambda invocations). Store in S3 + optionally CloudWatch Logs. Enabled by default, 90-day event history.
Config
AWS Config
Continuous resource inventory and compliance evaluation. Config Rules check resources against desired state. Conformance Packs bundle rules for PCI, HIPAA, etc. Config Aggregator = multi-account/region view. Tracks config history over time.
CloudWatch Logs
CloudWatch Logs
Centralized log storage. Log Groups → Log Streams. Metric Filters extract metrics from logs. Log Insights for SQL-style ad-hoc queries. Subscriptions for real-time processing (Kinesis, Lambda). Retention 1 day to indefinite.
Audit Manager
AWS Audit Manager
Automates evidence collection for audits (SOC2, PCI, HIPAA, GDPR). Maps AWS usage to compliance controls. Generates audit-ready reports. Reduces manual evidence gathering.
Security Hub
AWS Security Hub
Aggregates security findings from GuardDuty, Inspector, Macie, Config, and 3rd-party tools. Provides CIS AWS Foundations compliance score. Centralizes security posture across accounts.
⚡ Exam Decision Tips
  • "Who deleted the S3 bucket?" → CloudTrail
  • "Was this resource compliant last Tuesday?" → AWS Config
  • Application log aggregation + query → CloudWatch Logs + Log Insights
  • Prove compliance to auditors automatically → Audit Manager
  • Unified security findings dashboard → Security Hub
  • Detect unauthorized API calls in real-time → CloudTrail + EventBridge
🔑
IAM & Permissions
Identity, access control, and cross-account patterns
IAM Policies
Policy types
Identity-based (attached to user/role/group). Resource-based (e.g. S3 bucket policy). Permissions boundaries (max allowed for identity). Session policies (temporary constraints). Evaluation: explicit deny → explicit allow → implicit deny.
IAM Roles
Roles & cross-account
Roles provide temporary credentials via STS AssumeRole. Use for EC2 instance profiles, Lambda execution roles, cross-account access, identity federation (SAML/OIDC). Never use long-term keys on EC2 or Lambda.
SCPs
Service Control Policies
AWS Organizations feature. Apply to OUs or accounts. Define maximum permissions - they don't grant, they restrict. Even root of a member account is subject. Use to enforce region restrictions or prevent disabling CloudTrail.
Identity Center
IAM Identity Center (SSO)
Centralized SSO for multiple AWS accounts and SAML 2.0 apps. Integrates with Active Directory, Okta, Azure AD. Permission Sets define access per account. Successor to AWS SSO.
Cognito
Amazon Cognito
User Pools = user directory with sign-up/sign-in (JWT tokens). Identity Pools = exchange tokens for temporary AWS credentials. Use for web/mobile app authentication and authorization.
RAM
Resource Access Manager
Share AWS resources across accounts within an Organization without VPC peering. Share: Transit Gateway, Subnets, Route 53 resolver rules, License Manager configs.
⚡ Exam Decision Tips
  • EC2/Lambda needs AWS API access → IAM Role (instance profile / execution role)
  • Cross-account access → AssumeRole + trust policy
  • Prevent actions across all org accounts → SCP
  • Web/mobile app login → Cognito User Pool
  • App needs AWS resource access → Cognito Identity Pool
  • Enterprise SSO for many accounts → IAM Identity Center
  • Share subnet/TGW across accounts → AWS RAM
🔄
Disaster Recovery & Migration
RPO/RTO strategies, migration services, and data transfer tools
DR Strategies
DR Tiers
Backup & Restore: cheapest, RPO/RTO hours. Pilot Light: core services running, RTO ~minutes. Warm Standby: scaled-down full copy, RTO ~minutes. Multi-site Active-Active: full capacity both regions, RTO ~zero. Cost and speed increase together.
DMS
Database Migration Service
Migrate databases to AWS with minimal downtime. Homogeneous (Oracle→RDS Oracle) or heterogeneous (Oracle→Aurora). Continuous replication (CDC) for near-zero downtime. Schema Conversion Tool (SCT) for heterogeneous migrations.
MGN
Application Migration Service
Lift-and-shift (rehost) server migrations. Continuously replicates source servers to AWS. Cutover when ready with minimal downtime. Replaces legacy CloudEndure Migration.
Snow Family
AWS Snow Family
Snowcone: 8 TB, portable, edge compute. Snowball Edge: 80 TB, local compute + storage. Snowmobile: 100 PB, literal truck. Use when network transfer would take weeks or violates bandwidth constraints.
DataSync
AWS DataSync
Online data transfer. Syncs NFS/SMB/HDFS/S3-compatible to AWS (S3, EFS, FSx). Automated scheduling, bandwidth throttling, integrity verification. Faster and more managed than rsync.
Backup
AWS Backup
Centralized backup management across EC2, EBS, RDS, DynamoDB, EFS, FSx, Storage Gateway. Policy-based backup plans. Cross-region and cross-account backup copies for compliance.
⚡ Exam Decision Tips
  • Lowest-cost DR → Backup & Restore (accept longer RTO/RPO)
  • Near-zero RTO/RPO → Multi-site Active-Active (highest cost)
  • DB migration with minimal downtime → DMS with CDC
  • Lift-and-shift servers → Application Migration Service (MGN)
  • Large data, slow network → Snowball Edge
  • Online file sync on-prem to AWS → DataSync
  • Centralized backup policy across services → AWS Backup
🌐
VPC & Networking
Virtual networks, routing, connectivity, and DNS
VPC
Core VPC concepts
Isolated virtual network. Subnets per AZ. Public subnet = route to IGW. Private subnet = route via NAT GW (managed) or NAT instance (cheaper, self-managed). CIDR blocks can't overlap for peering.
Peering
VPC Peering
Point-to-point connection between two VPCs (same or cross-account/region). Not transitive - A↔B and B↔C does NOT mean A can reach C. No overlapping CIDR. Use Transit GW for many VPCs.
Transit GW
Transit Gateway
Hub-and-spoke model for hundreds of VPCs. Replaces complex full-mesh peering. Attach VPCs, VPNs, and Direct Connect gateways. Route tables per TGW control traffic. Cross-region via TGW peering.
PrivateLink
VPC PrivateLink
Expose a service privately via interface endpoint. No peering, no overlapping CIDR issue. Unidirectional. Used by AWS services and for SaaS partner services.
Direct Connect
Direct Connect (DX)
Dedicated private fiber from on-prem to AWS. 1/10/100 Gbps. Consistent latency and bandwidth. Public VIF (AWS public services), Private VIF (VPC), Transit VIF (TGW). Takes weeks to provision. DX Gateway for multi-region.
Route 53
Route 53
DNS + health checks + traffic management. Routing: Simple, Weighted (A/B), Latency (lowest RTT), Failover (active-passive), Geolocation (country/continent), Geoproximity (adjustable bias), Multi-value (8 healthy records).
CloudFront
Amazon CloudFront
Global CDN with 400+ edge locations. Origin: S3 (use OAC), ALB, API Gateway, custom HTTP. Geo-restriction, WAF integration, signed URLs/cookies for private content. Field-Level Encryption for sensitive data.
⚡ Exam Decision Tips
  • 2–3 VPCs to connect → VPC Peering
  • Many VPCs + on-prem → Transit Gateway
  • Expose service to other VPCs without peering → PrivateLink
  • Private S3 access from VPC → S3 Gateway Endpoint (free)
  • Dedicated bandwidth on-prem to AWS → Direct Connect
  • Active-passive DNS failover → Route 53 Failover routing + health check
  • Global static asset delivery → CloudFront + S3
🛡️
Security
Encryption, threat detection, edge protection, and secrets
KMS
Key Management Service
Managed encryption key service. AWS managed keys (free, per-service). Customer managed keys (CMK): control rotation, policy, audit via CloudTrail. Envelope encryption: KMS encrypts data keys; data keys encrypt data. CloudHSM: dedicated hardware FIPS 140-2 Level 3.
Secrets Manager
Secrets Manager
Store and auto-rotate secrets (DB passwords, API keys). Rotation via Lambda. Cross-account secret sharing. ~$0.40/secret/month. Use when automatic rotation is needed. SSM Parameter Store = cheaper but no auto-rotation.
GuardDuty
Amazon GuardDuty
Threat detection using ML on VPC Flow Logs, DNS logs, and CloudTrail. Detects compromised instances, crypto-mining, credential exfiltration, unusual API calls. No agents. Findings → EventBridge → Lambda for auto-remediation.
Inspector
Amazon Inspector
Automated vulnerability scanning for EC2 instances (via SSM agent) and container images (ECR). CVE scanning, network reachability analysis. Continuous, not one-time. Risk scores to prioritize remediation.
Macie
Amazon Macie
ML-powered sensitive data discovery in S3. Finds PII (names, SSNs, credit cards, passwords). Generates findings for policy violations and sensitive data. Use for GDPR/PCI compliance and data governance.
WAF
AWS WAF
Layer 7 web application firewall. Rules: IP allow/block, geo-block, rate limiting, SQLi, XSS, custom string patterns. Attach to CloudFront, ALB, API Gateway, AppSync. AWS Managed Rules for OWASP Top 10 coverage.
Shield
AWS Shield
Shield Standard: automatic L3/L4 DDoS protection, free for all. Shield Advanced: enhanced DDoS protection, 24/7 DRT team, cost protection, near real-time visibility. ~$3,000/month. Attach to CloudFront, Route 53, ALB, EIP.
⚡ Exam Decision Tips
  • Encrypt data with key rotation control → KMS CMK
  • FIPS 140-2 Level 3 requirement → CloudHSM
  • Auto-rotate DB passwords → Secrets Manager
  • Detect compromised EC2 / unusual API calls → GuardDuty
  • Scan EC2/containers for CVEs → Inspector
  • Find PII in S3 buckets → Macie
  • Block SQLi/XSS at edge → WAF
  • DDoS protection with support team → Shield Advanced
🔗
Application Integration
SQS, SNS, EventBridge, Step Functions - decoupling patterns
SQS
Simple Queue Service
Managed message queue. Standard (at-least-once, best-effort order) vs FIFO (exactly-once, strict order, 3000 msg/s). Visibility timeout, dead-letter queues (DLQ), delay queues. Long polling reduces empty responses. Decouples producers from consumers.
SNS
Simple Notification Service
Pub/sub messaging. One message → many subscribers (fan-out). Subscribers: SQS, Lambda, HTTP, email, SMS, mobile push. SNS + SQS = fan-out pattern for reliable parallel processing. SNS FIFO = ordered pub/sub.
EventBridge
Amazon EventBridge
Serverless event bus. Route events from AWS services, SaaS (Zendesk, Datadog), and custom apps using rules. Scheduled events (cron). Archive and replay events. Schema Registry. Successor to CloudWatch Events.
Step Functions
Step Functions
Visual serverless workflow orchestration. States: Task, Choice, Wait, Parallel, Map, Pass. Standard (exactly-once, up to 1 year) vs Express (at-least-once, up to 5 min, high volume). Built-in retry, error handling.
API Gateway
Amazon API Gateway
Managed REST, HTTP, and WebSocket APIs. Integrates with Lambda, HTTP backends, AWS services directly. Throttling, caching (up to 3600s TTL), usage plans, API keys. HTTP API = cheaper/faster than REST API for simple proxy use cases.
⚡ Exam Decision Tips
  • Async decoupling, one-to-one → SQS
  • Strict order + exactly-once → SQS FIFO
  • One event → many consumers → SNS fan-out
  • Fan-out + reliable async processing → SNS → SQS
  • React to AWS service events with rules → EventBridge
  • Multi-step workflow with error handling → Step Functions
  • Expose Lambda as HTTP endpoint → API Gateway
Serverless
Run code and workloads without managing servers
Lambda
AWS Lambda
Event-driven FaaS. 15 min max, 10 GB RAM. Triggers: API GW, SQS, SNS, S3, DynamoDB Streams, EventBridge, etc. Layers for shared libraries. Lambda@Edge for CloudFront. Provisioned concurrency eliminates cold starts. RDS Proxy for DB connections.
Fargate
AWS Fargate
Serverless container compute for ECS and EKS. No EC2 instances to manage. Pay per vCPU + GB of memory per second. Good for long-running tasks, microservices, ML inference. Combine with Spot for cost savings.
App Runner
AWS App Runner
Fully managed service for containerized web apps and APIs. No infra, no ECS/EKS configuration. Point to container image or code repo → auto-deploy. Built-in load balancing, auto-scaling, TLS. Simpler than ECS for web APIs.
Aurora Serverless
Aurora Serverless v2
Auto-scales Aurora compute in fine-grained 0.5 ACU increments. Scales to minimum capacity when idle. Use for unpredictable or intermittent workloads. Same APIs as Aurora provisioned - switch anytime.
DynamoDB On-Demand
DynamoDB On-Demand
Serverless NoSQL with zero capacity planning. Pay per request. Automatically scales to any traffic level instantly. Use for unpredictable or new workloads where you can't forecast access patterns.
⚡ Exam Decision Tips
  • Short event-driven tasks (<15 min) → Lambda
  • Long-running containers without EC2 → Fargate
  • Simple web API, no infra setup → App Runner
  • Variable relational DB workload → Aurora Serverless v2
  • Unpredictable NoSQL traffic → DynamoDB On-Demand
  • Lambda cold starts are a problem → Provisioned Concurrency
  • "No server management" + containers → Fargate or App Runner
💾
Storage
Object, block, file, and hybrid storage - pick the right type
S3
Simple Storage Service
Object storage, unlimited scale, 11 nines durability. Storage classes from Standard to Glacier Deep Archive. Versioning, MFA delete, Object Lock (WORM). Event notifications → Lambda/SQS/SNS. Static website hosting. S3 Batch Operations for bulk object processing.
EBS
Elastic Block Store
Block storage for EC2. Persists independently from instance. gp3: 3,000–16,000 IOPS. io2 Block Express: 256k IOPS, sub-ms latency. Snapshots to S3 (incremental). Encrypt with KMS. AZ-locked (except Multi-attach io1/io2).
EFS
Elastic File System
Shared NFS file system for Linux EC2 and Lambda. Multi-AZ by default, scales automatically. Standard and IA storage classes. Max I/O mode for parallel big-data workloads. Bursting or Provisioned throughput modes.
FSx
Amazon FSx
FSx for Windows: SMB, Active Directory integrated, NTFS, DFS. FSx for Lustre: high-performance parallel filesystem for HPC/ML, native S3 integration. FSx for NetApp ONTAP: multi-protocol (NFS/SMB/iSCSI), snapshots, multi-AZ.
Storage GW
Storage Gateway
Hybrid on-prem to cloud storage. File Gateway: NFS/SMB frontend backed by S3. Volume Gateway: iSCSI block storage backed by EBS snapshots. Tape Gateway: VTL backed by Glacier. Extends data center to AWS.
S3 Glacier
S3 Glacier tiers
Instant Retrieval: ms access, monthly access pattern. Flexible Retrieval: 1–12 hour retrieval, quarterly access. Deep Archive: 12–48 hour retrieval, ~$1/TB/month, once-or-twice-a-year access. All 11 nines durability.
⚡ Exam Decision Tips
  • Object storage / static files → S3
  • Block storage for single EC2 → EBS gp3 (default)
  • High IOPS database → EBS io2 Block Express
  • Shared file system across Linux EC2s → EFS
  • Windows file shares + AD integration → FSx for Windows
  • HPC/ML parallel filesystem → FSx for Lustre
  • On-prem NFS/SMB backed by S3 → Storage Gateway File GW
  • Cheapest long-term archival → S3 Glacier Deep Archive
📈
Monitoring & Observability
Metrics, logs, traces, and operational visibility
CloudWatch
Amazon CloudWatch
Metrics (standard + custom), Alarms (threshold, anomaly detection, composite), Dashboards. CloudWatch Logs for log ingestion. Log Insights for SQL-style queries. EventBridge for automation triggers. CW Agent required for EC2 in-guest metrics (memory, disk).
X-Ray
AWS X-Ray
Distributed tracing for microservices and serverless. Trace requests end-to-end across Lambda, API Gateway, EC2, ECS. Service map visualizes dependencies and bottlenecks. Segments and subsegments for granular latency breakdown. SDK integration required.
CW Agent
CloudWatch Agent
Installed on EC2 or on-prem servers. Pushes custom metrics: memory utilization, disk I/O, swap usage. Collects application logs. Required for memory metrics - these are NOT in default EC2 CloudWatch metrics.
Health Dashboard
AWS Health Dashboard
Service Health Dashboard: global AWS service status visible to all. Personal Health Dashboard (AWS Health): events affecting your specific account. EventBridge integration for automated responses to health events.
Trusted Advisor
AWS Trusted Advisor
Automated best-practice checks: Cost Optimization, Performance, Security, Fault Tolerance, Service Limits. Basic checks free for all accounts. Full checks require Business/Enterprise Support. Alerts for open S3 buckets, unrestricted SG ports, underutilized resources.
Compute Optimizer
Compute Optimizer
ML-based resource rightsizing recommendations for EC2, Lambda, ECS on Fargate, EBS volumes. Identifies over and under-provisioned resources. Analyzes 14 days of CloudWatch metrics. Integrates with AWS Organizations for org-wide analysis.
⚡ Exam Decision Tips
  • Metrics, alarms, dashboards → CloudWatch
  • EC2 memory / disk metrics → CloudWatch Agent (not built-in!)
  • Trace requests across microservices → X-Ray
  • Ad-hoc log queries → CloudWatch Log Insights
  • AWS service outage affecting your account → Personal Health Dashboard
  • Find over-provisioned EC2 instances → Compute Optimizer
  • Security/cost/performance best-practice checks → Trusted Advisor