1.

Storage & Data Transfer

S3
● Classes
○ Standard = max durability, frequent access.
○ Standard-IA = infrequent but available.
○ One Zone-IA = cheaper, single AZ risk.
○ Glacier / Glacier Deep Archive = archival, retrieval delays acceptable.
● Key Features
○ Strong read-after-write consistency (for new PUTs & overwrites).
○ Multi-part upload for >100MB (required >5GB).
○ Prefix parallelization (no scaling limits per prefix).
○ Event Notifications → trigger Lambda/SNS/SQS.
○ Access Points = per-app/team policies.
● Data Protection
○ Lifecycle rules = auto-tiering.
○ Versioning + MFA Delete = accidental/malicious delete protection.
○ Object Lock (WORM compliance).
● Replication
○ CRR = compliance/DR (cross-Region).
○ SRR = multi-account or intra-Region.
○ Requires versioning.
● Access
○ Cross-account → AssumeRole + bucket policy (avoid ACLs).
○ Presigned URLs = temporary upload/download access.
● Performance
○ Frequent downloads → CloudFront (global CDN).
○ Upload acceleration → S3 Transfer Acceleration.

EBS
● Single AZ, single instance (like a disk).
● Snapshots = incremental, stored in S3.
● Volume Types:
○ gp3 = general, cheap.
○ io2 = high IOPS.
○ st1 = throughput (big data).
○ sc1 = cheap archival.
● Encryption: at-rest + in-transit.

EFS
● Multi-AZ, shared POSIX FS.
● Storage classes = Standard, Infrequent Access.
● For Linux workloads.

FSx
 ● FSx for Windows = full Windows FS.
● FSx for Lustre = HPC, ML, big data (integrates with S3).

Instance Store
● Ephemeral, fast local storage.

Data Transfer & Migration

● Snowball = bulk offline TB migration.
● Snowcone = edge device (portable).
● Snowmobile = exabyte-scale.
● DataSync = ongoing online sync.
● File Gateway = SMB/NFS to S3 (with lifecycle).
● Transfer Family = managed SFTP/FTPS/FTP to S3.

2. Databases & Analytics

RDS
● Multi-AZ = HA (automatic failover).
● Read Replicas = scaling (not HA).
● Cross-Region replicas = DR (manual promotion).
● Automated backups = PITR.
● Snapshots = manual, user-managed.
● Encryption at-rest/in-transit.
● Secrets Manager = store DB creds.
● Cache reads → ElastiCache.
● Scaling writes → sharding or Aurora multi-master.

Aurora
● Read scaling = Aurora Replicas + Auto Scaling.
● HA = Multi-AZ.
● Aurora Global Database = global workloads (low-latency cross-Region).
● Aurora Serverless v2 = on-demand scaling.

DynamoDB
● Key-value, low latency.
● Modes:
○ On-Demand = unpredictable traffic.
○ Provisioned + Auto Scaling = predictable traffic.
● Features:
○ TTL = item expiration.
○ Streams = Lambda triggers, replication.
 ○ DAX = in-memory cache.
○ Global Tables = multi-Region HA.
○ Backup & Restore (on-demand + PITR).

Redshift
● Data warehouse, analytics.
● Spectrum = query S3 directly.
● RA3 nodes = separate storage/compute.
● Ongoing cluster cost.

Athena
● Serverless SQL on S3.
● Pay-per-query.

EMR
● Big data/ETL, custom clusters.
● Cheaper with Spot instances.

Kinesis
● Streams = ordered, replay, real-time.
● Shards = scaling.
● Firehose = direct delivery (e.g., to S3).
● Analytics = SQL on streams.

3. Networking
VPC
● Default VPC = auto subnets, internet-enabled.
● Custom VPC = full control.
● Security Groups = stateful, can reference themselves or other SGs.
● Bastion Host vs SSM Session Manager (prefer SSM, no open SSH).

VPC Endpoints
● Gateway Endpoint = S3, DynamoDB.
● Interface Endpoint (PrivateLink) = other AWS services.

NAT
● NAT Gateway = managed, scalable, highly available.
● NAT Instance = legacy, manual mgmt.
Hybrid Connectivity
● Direct Connect = private, low latency.
● VPN = quick setup, less reliable.
● Transit Gateway = hub for many networks.
● VPC Peering = same Region, no transitive routing, no overlapping CIDRs.

Load Balancing
● ALB = L7, app-based routing.
● NLB = L4, TCP/UDP, high perf.
● Gateway Load Balancer = inline appliances.
● Global Accelerator = TCP/UDP acceleration + HA.
● CloudFront = global CDN, caching.

DNS
● Route 53 Routing:
○ Latency-based = best Region.
○ Weighted = % traffic split.
○ Geolocation = user location.
○ Failover = DR.
● Route 53 Resolver Endpoints:
○ Inbound = on-prem → AWS.
○ Outbound = AWS → on-prem.

4. Compute & Scaling

EC2
● HA = Multi-AZ + ASG + ALB.
● Vertical scaling = SPOF (exam trap).
● IAM Role = secure AWS access.
● Capacity Reservation = guaranteed AZ capacity.
● Placement Groups:
○ Cluster = low latency.
○ Spread = critical instances across AZs.
○ Partition = big data, fault isolation.
● Pricing:
○ Spot = cheap, interruptible.
○ RIs = rigid but discounted.
○ Savings Plans = flexible, predictable workloads.

Containers
● ECS/EKS on EC2 = manage infra.
● Fargate = serverless containers (“no servers”).
Lambda
● Event-driven, serverless.
● Concurrency:
○ Reserved concurrency (limit).
○ Provisioned concurrency (pre-warm).
● Destinations (success/failure → SQS, SNS, EventBridge).
● Retries: ensure SQS visibility timeout > Lambda timeout.
● Secrets in Secrets Manager (auto rotation).

Auto Scaling
● Policies:
○ Target Tracking (preferred).
○ Step Scaling.
○ Scheduled Scaling.
● HA + self-healing = ALB health checks + ASG.
● ECS scaling = Service Auto Scaling + ALB.

5. Security, IAM & Governance

IAM
● Cross-account → AssumeRole.
● Temporary creds auto-rotated.
● Org restrictions:
○ aws:PrincipalOrgID.
○ aws:PrincipalOrgPaths.
○ aws:PrincipalTag.
● Identity Federation = SAML/OIDC.
● IAM Identity Center (replacement for SSO).

Secrets
● Secrets Manager = auto rotation, auditing.
● Parameter Store = configs/secrets (no rotation).
● Never hardcode/env vars.

Encryption
● SSE-S3 = AWS managed.
● SSE-KMS = fine-grained, audit.
● Client-side = self-managed.
● KMS: Customer-managed vs AWS-managed keys.
● Key policies vs IAM policies.
Network Security
● SG = instance level, stateful.
● NACL = subnet level, stateless, allow/deny.

Governance
● Organizations = multi-account mgmt.
● SCPs = guardrails.
● Control Tower = governance setup.
● Budgets + Cost Explorer = track spend.
● Trusted Advisor = cost/security best practices.

Security & Compliance

● CloudTrail = API audit (mgmt events vs data events).
● Config = resource compliance/timeline.
● GuardDuty = threat detection.
● Macie = PII detection in S3.
● Security Hub = centralized security findings.
● Centralized logging = S3 + Object Lock.

6. Application Integration & Messaging

SQS
● Queue decoupling, durable.
● Standard = unordered, unlimited throughput.
● FIFO = ordered, limited throughput.
● Long polling = efficient.
● DLQ = handle failures.

SNS
● Pub/Sub fan-out (1 → many).
● Not ordered.
● Message filtering supported.

Kinesis
● Streaming, ordered, replay.

Step Functions
● Serverless orchestration across multiple services.
● Handles retries, failures.
EventBridge
● Event bus, rule-based routing.
● Cross-account events supported.

Patterns
● Event-driven → SQS + Lambda.
● Fan-out → SNS.
● Hybrid → SNS + SQS + Lambda.

7. Monitoring & Operations

CloudWatch
● Default EC2 metrics: CPU, network, status checks.
● Need memory/disk → install CloudWatch Agent.
● Alarms → SNS notifications.
● Dashboards → share externally.
● Logs Insights = query logs.

Config
● Compliance checks, timelines.
● Integrates → EventBridge → SNS.

CloudTrail
● Logs API calls.
● Mgmt events (control plane) vs Data events (S3, Lambda).
● Centralized logging → S3.

Ops & Backup

● Systems Manager: Run Command, Patch Manager, Parameter Store, Session Manager.
● AWS Backup = centralized cross-service backups.