May 28, 2026 AWS Cloud Certification Architecture

Pass the AWS Solutions Architect Associate Exam. Architecture Decisions, Not Memorization. Réussir l'examen AWS Solutions Architect Associate. Des décisions d'architecture, pas de la mémorisation.

65 questions. 130 minutes. 720 to pass. Every domain, service, and trade-off for the AWS SAA-C03 — in one interactive guide. 65 questions. 130 minutes. 720 pour réussir. Chaque domaine, service et compromis pour le SAA-C03 — dans un guide interactif.

← All articles ← Tous les articles

The SAA-C03 is a step up from the Cloud Practitioner. Where CCP asks "what is this service?", the SAA asks "which service fits here, and why?" Every question is a scenario. You're being tested on architecture decisions — trade-offs between cost, performance, resilience, and security. There is always a best answer. Orange boxes are exam tips. Red boxes are common traps. Green boxes are free-tier or cost notes.

Le SAA-C03 est une progression par rapport au Cloud Practitioner. Là où le CCP demande « c'est quoi ce service ? », le SAA demande « quel service convient ici, et pourquoi ? » Chaque question est un scénario. On teste vos décisions d'architecture — compromis entre coût, performance, résilience et sécurité. Il y a toujours une meilleure réponse. Les boîtes orange sont des conseils d'examen. Les rouges sont des pièges courants. Les vertes concernent les coûts.

65Questions

130Minutes

720Passing Score /1000

$300Exam Fee USD

Exam Domains — Click to Jump

30% 🔒 Secure Architectures ~20 questions

26% 🔁 Resilient Architectures ~17 questions

24% ⚡ High-Performing Architectures ~16 questions

20% 💰 Cost-Optimized Architectures ~13 questions

🎯 D1 (30%) + D2 (26%) = 56% of the exam. Master secure and resilient design first — you're essentially more than halfway there before touching performance or cost.

How the Exam Works

Exam Format

Multiple-choice (1 correct) and multiple-response (they tell you exactly how many to pick)
No penalty for wrong answers — always guess if unsure
Scenario-based questions — a short paragraph sets up a business problem, you pick the best architecture
Available online (proctored) or in-person
Score report is immediate. 720/1000 to pass (scaled score)
Valid for 3 years. After passing: 50% discount voucher for your next AWS cert

Exam Strategy

How to Read Questions

Find the requirement keywords: "most cost-effective", "highest availability", "least operational overhead", "most secure"
The requirement is the filter — eliminate answers that don't satisfy it first
When two answers both work technically, the one matching the requirement wins
"Least operational overhead" usually means managed services (RDS not EC2+MySQL)

Common Answer Patterns

High availability → Multi-AZ, Auto Scaling, ALB
Lowest latency → ElastiCache, CloudFront, Global Accelerator
Decoupling → SQS between tiers, not direct calls
Serverless → Lambda + DynamoDB + API Gateway
Cost saving → Spot instances, S3 Glacier, Reserved capacity
Secure secrets → Secrets Manager, not hardcoded env vars

🚨 The exam frequently offers answers that are technically correct but don't match the requirement. "Use RDS Multi-AZ" is correct for high availability — but wrong if the question asks for read performance (that's Read Replicas).

Prerequisite Knowledge

Passed CCP or have 1+ year of hands-on AWS experience (recommended, not required)
Comfortable with: VPC, EC2, S3, IAM, RDS, Lambda, CloudFront, Route 53
Understand the shared responsibility model, basic networking (CIDR, subnets, DNS)
Know the difference between stateful vs stateless, synchronous vs asynchronous

📌 The SAA-C03 version (current) places heavier emphasis on serverless, containers (ECS/EKS/Fargate), and well-architected framework pillars than older versions.

30%

Domain 1: Design Secure Architectures

~20 questions · IAM, VPC, encryption, compliance, data protection

IAM — Identity & Access Management

Core IAM Concepts

Users — long-term credentials (access key + secret). Avoid for apps.
Groups — attach policies to groups, not individual users
Roles — temporary credentials via STS. Use for EC2, Lambda, cross-account
Policies — JSON documents defining Allow/Deny. Explicit Deny always wins
Permission boundary — caps the maximum permissions a role/user can have
MFA — enforce via IAM policy condition aws:MultiFactorAuthPresent

Policy Evaluation Logic

Default = implicit Deny (nothing is allowed until explicitly permitted)
Explicit Allow on identity policy → access granted
Explicit Deny anywhere → always overrides any Allow
SCPs in Organizations act as guardrails — they restrict what even an admin can do
Resource-based policies (S3 bucket policies) + identity policies both evaluated
For cross-account: need Allow in both the role's trust policy AND identity policy

🎯 When a question asks how an EC2 instance accesses S3 securely — the answer is always an IAM Role attached to the instance. Never access keys stored on the instance.

Cross-Account Access

Role Assumption Pattern

Account A (trusting) creates a role with a trust policy allowing Account B to assume it
Account B users/services call sts:AssumeRole to get temporary credentials
Temporary credentials: access key + secret + session token, expire automatically
Use external ID in trust policy when third parties (vendors) assume your role — prevents confused deputy

Cognito — Web Identity & Federation

User Pools

User directory — handles sign-up, sign-in, password reset
Federate with social IDPs (Google, Facebook, Apple) and enterprise SAML/OIDC
Returns JSON Web Tokens (JWT): ID token, access token, refresh token
Use for: application authentication, securing API Gateway endpoints

Identity Pools (Federated Identities)

Provides temporary AWS credentials via STS to grant users direct access to AWS resources
Users can be authenticated (via User Pool, social, SAML) or unauthenticated (guest)
Use for: allowing app users to directly upload to S3, write to DynamoDB, invoke Lambda
Flow: User Pool JWT → Identity Pool → STS → temporary credentials → AWS resource

🎯 "App needs to let users upload files directly to S3" → Cognito Identity Pool (gives temporary AWS credentials). "Secure a REST API with user login" → Cognito User Pool as an API Gateway authorizer.

VPC Security

Security Groups vs NACLs

Feature	Security Groups	Network ACLs
Level	Instance (ENI)	Subnet
State	Stateful — return traffic automatic	Stateless — must allow both directions
Rules	Allow only (no explicit deny)	Allow AND Deny rules
Evaluation	All rules evaluated together	Rules evaluated in order (lowest number first)
Scope	Applies to specific instances	Applies to all instances in subnet

🎯 To block a specific IP address, use a NACL Deny rule. Security groups can't deny — you can only remove the Allow.

VPC Connectivity

Internet Gateway — allows public subnets to reach internet
NAT Gateway — allows private subnets outbound internet (no inbound). Managed, HA within AZ. Place in public subnet.
VPC Peering — direct connection between VPCs (same or cross-account/region). Not transitive.
Transit Gateway — hub-and-spoke. Connects many VPCs + on-prem. Transitive routing supported.
VPN Gateway — connects on-premises network to VPC over IPsec
Direct Connect — dedicated private line to AWS. Not internet-based. More consistent bandwidth.

VPC Endpoints

Gateway Endpoint — free, for S3 and DynamoDB only. Route table entry.
Interface Endpoint (PrivateLink) — ENI in your subnet, for most AWS services. Costs money. Works across VPCs.
Use endpoints so traffic to S3/DynamoDB never leaves AWS network
PrivateLink — expose your own service to other VPCs without peering

🚨 VPC Peering is NOT transitive. VPC A peers with B, B peers with C — A cannot reach C. Use Transit Gateway for hub-and-spoke with many VPCs.

Encryption

KMS — Key Management Service

CMK (Customer Master Key) — the key that encrypts your data keys
Envelope encryption — KMS encrypts a data key, data key encrypts your data. KMS never sees raw data.
AWS-managed keys — free, automatic rotation every year
Customer-managed keys — you control rotation, access policies, deletion
KMS keys are regional — cannot be moved or exported
CloudHSM — dedicated hardware, you control the key material. FIPS 140-2 Level 3.

S3 Encryption Options

SSE-S3 — AWS manages keys (AES-256). Default. Lowest overhead.
SSE-KMS — KMS manages keys. You get audit trail in CloudTrail. Control via KMS policy.
SSE-C — you provide the key with each request. AWS does not store the key.
Client-side — you encrypt before upload. AWS never sees plaintext.

🎯 "Audit key usage" → SSE-KMS. "AWS never sees key" → SSE-C. "Customer holds all encryption material" → Client-side.

Secrets & Parameter Management

Feature	Secrets Manager	SSM Parameter Store
Cost	$0.40/secret/month	Free (Standard). $0.05/advanced/month
Auto rotation	✅ Built-in (Lambda-based), native for RDS	❌ Manual or custom Lambda
Use case	Database passwords, API keys needing rotation	Config values, non-sensitive params
Cross-account	✅	✅ (with resource policy)

🎯 Question says "automatically rotate database credentials" → Secrets Manager. It has native integration with RDS, Redshift, DocumentDB.

SSM Session Manager — Secure EC2 Access

Provides interactive browser-based or CLI shell access to EC2 instances without opening port 22 (SSH)
No bastion hosts, no SSH key pairs to manage — access controlled entirely via IAM policies
Works with instances in private subnets (requires SSM agent + VPC endpoint or internet access via NAT)
EC2 instance needs AmazonSSMManagedInstanceCore IAM role policy attached
All session activity logged to CloudTrail and optionally to S3 / CloudWatch Logs for audit
Also enables: Run Command (remote script execution), Patch Manager, Parameter Store access

🎯 "Most secure way to access EC2 in a private subnet without exposing SSH" → SSM Session Manager. Eliminates bastion hosts, no security group inbound rules needed.

Network Protection Services

AWS Shield

Standard — free, automatic. Protects against common L3/L4 DDoS attacks
Advanced — $3,000/month. 24/7 DRT team, financial protection, L7 protection with WAF

AWS WAF

Layer 7 (HTTP) firewall. Works with CloudFront, ALB, API Gateway, AppSync
Rules: IP sets, geo-match, rate-based, managed rule groups (OWASP Top 10)
Can block SQL injection, XSS, bad bots

Network Firewall

Stateful firewall at VPC level
Deep packet inspection, intrusion detection
Deploy in dedicated firewall subnets; route all traffic through it

Compliance & Monitoring Services

Detection

CloudTrail — logs every API call (who did what, when, from where). Management + data events. Store in S3.
GuardDuty — ML-based threat detection. Analyzes CloudTrail, VPC Flow Logs, DNS logs. No agents needed.
Macie — discovers and protects sensitive data (PII, financial) in S3 using ML
Security Hub — aggregates findings from GuardDuty, Inspector, Macie into one dashboard
Inspector — automated vulnerability scans for EC2, Lambda, container images

Governance

Config — records configuration changes over time. Rules check compliance. Remediate with SSM Automation.
Organizations — manage multiple AWS accounts. Consolidated billing. Apply SCPs to OUs.
SCPs (Service Control Policies) — guardrails on what accounts can do. Even administrators are bound by SCPs. Do not grant permissions — only restrict.
Control Tower — sets up a multi-account environment with guardrails automatically (uses Organizations + Config)

🚨 SCPs do NOT grant permissions — they only restrict. An SCP allowing S3 doesn't mean accounts can use S3; they also need IAM policies allowing it.

S3 Object Lock & Glacier Vault Lock — WORM Compliance

S3 Object Lock

Implements Write Once, Read Many (WORM) policy — objects cannot be deleted or overwritten
Compliance Mode — no one (including root account) can delete or alter the object or shorten the retention period. Unbreakable.
Governance Mode — most users cannot delete/modify, but users with s3:BypassGovernanceRetention permission can. Useful for internal audits.
Legal Hold — blocks deletion regardless of retention period. Can be placed/removed by users with s3:PutObjectLegalHold. No expiry date.
Must enable Object Lock at bucket creation. Requires versioning.

Glacier Vault Lock

Locks a Glacier vault's access policy permanently using a Vault Lock policy
Once locked (initiated → confirmed), the policy cannot be changed or deleted — even by an AWS administrator
Use for: SEC Rule 17a-4, HIPAA, financial record compliance requirements
Difference from S3 Object Lock: applies to entire Glacier vault, not individual objects

🎯 "Prevent ransomware from deleting backups" → S3 Object Lock Compliance Mode. "Legal hold for ongoing litigation" → S3 Object Lock Legal Hold. "Audit-proof archive vault" → Glacier Vault Lock.

ACM — Certificate Manager

Provision, manage, and deploy TLS/SSL certificates for free on AWS services
Works with CloudFront, ALB, API Gateway, Elastic Beanstalk
Automatic renewal — never expire manually managed certs
Important: for CloudFront, certificates must be in us-east-1 (N. Virginia) regardless of your distribution's origin region

🧠 Domain 1 Practice Quiz

20 randomized scenario-based questions. Submit to reveal your score and explanations.

26%

Domain 2: Design Resilient Architectures

~17 questions · HA, DR, load balancing, auto scaling, databases, decoupling

Availability Concepts

RTO vs RPO

RTO (Recovery Time Objective) — how long you can be down. Max acceptable downtime.
RPO (Recovery Point Objective) — how much data you can lose. Max acceptable data age at recovery.
Lower RTO/RPO = more expensive architecture
RTO 0 = active-active multi-region. RPO 0 = synchronous replication.

DR Strategies (cheapest → fastest)

Backup & Restore — highest RPO/RTO, lowest cost. Restore from S3/Glacier.
Pilot Light — minimal core systems running. Scale up on disaster.
Warm Standby — scaled-down version running. Scale up quickly.
Active-Active (Multi-site) — full production in 2+ regions. RTO ≈ 0.

🎯 "Cost-effective DR with RPO of hours" → Backup & Restore or Pilot Light. "Near-zero RTO/RPO" → Active-Active multi-region.

📌 AWS Elastic Disaster Recovery (AWS DRS) — automates lift-and-shift DR for physical, virtual, or cloud servers. Uses continuous block-level replication into a low-cost staging area. On failover, launches recovery instances in minutes. RPO of sub-seconds (continuous replication). RTO in minutes. Replaces CloudEndure in SAA-C03 questions about automated server-level DR.

Multi-AZ vs Multi-Region

	Multi-AZ	Multi-Region
Replication	Synchronous (RDS Multi-AZ, etc.)	Asynchronous (Cross-region replication)
Latency	Low (same metro area)	Higher (geographic distance)
Use case	High availability — survive AZ failure	Disaster recovery, low global latency
Data loss risk	None (synchronous)	Possible (async lag)

Elastic Load Balancing

ALB L7

HTTP/HTTPS/gRPC
Path-based routing (/api/* → service A)
Host-based routing (api.example.com)
Target groups: EC2, ECS, Lambda, IPs
Sticky sessions, WebSocket, redirect rules

NLB L4

TCP/UDP/TLS
Millions of requests/second, ultra-low latency
Static IP per AZ (or Elastic IP) — required for IP whitelisting
Preserves source IP
Use for: gaming, IoT, real-time

GWLB L3

Inline traffic inspection
Routes traffic through 3rd-party network appliances (firewalls, IDS)
Transparent to source and destination
GENEVE protocol on port 6081

🚨 Need a static IP for your load balancer? → NLB (not ALB). ALB only has a DNS name, not a fixed IP.

Auto Scaling

Scaling Policies

Target Tracking — maintain a metric at a target (e.g., CPU at 60%). Simplest. Recommended.
Step Scaling — add/remove capacity in steps based on alarm thresholds
Simple Scaling — single CloudWatch alarm triggers single action. Has cooldown period.
Scheduled — scale at known times (e.g., add capacity every Monday 8am)
Predictive — ML forecasts future load, pre-scales

Key Concepts

Launch Template — defines AMI, instance type, SG, user data for new instances
Cooldown period — prevents launching/terminating instances too rapidly after a scaling event
Lifecycle hooks — pause instance launch/terminate for custom actions (e.g., drain connections, run scripts)
Warm pool — pre-initialized instances ready to launch quickly
Termination policy: default terminates instance from AZ with most instances, oldest launch template first

Route 53 Routing Policies

Policy	Use Case	Notes
Simple	Single resource	No health checks. Returns random if multiple values.
Weighted	A/B testing, gradual migration	Weight 0 = no traffic. All 0 = equal distribution.
Latency	Route to lowest-latency region	Based on AWS latency data, not geography
Failover	Active-passive DR	Requires health check on primary
Geolocation	Serve content by user's country/continent	Not latency-based. Needs a Default record.
Geoproximity	Shift traffic between regions by bias	Traffic Flow only. Bias expands/shrinks region.
Multi-Value	Client-side load balancing	Up to 8 healthy records returned. Not a substitute for ELB.

🎯 "Route users to nearest region" → Latency policy. "Route French users to EU servers" → Geolocation. "Gradually shift 10% traffic to new version" → Weighted.

Database Resilience

RDS Multi-AZ vs Read Replicas

	Multi-AZ	Read Replicas
Purpose	High availability / failover	Read scale / performance
Replication	Synchronous (standby)	Asynchronous
Standby readable?	❌ Not until failover	✅ Yes (read traffic)
Cross-region?	❌ Same region only	✅ Yes (CRR)
Auto failover?	✅ ~60-120 seconds	❌ Manual promotion

Aurora

6 copies of data across 3 AZs — survives losing 2 copies for writes, 3 for reads
Up to 15 read replicas (RDS max: 5)
Aurora Global Database — 1 primary region, up to 5 read-only secondary regions. Replication <1 second. Promote secondary for DR.
Aurora Serverless v2 — scales compute instantly in fine-grained increments. Great for unpredictable workloads.
Writer endpoint, reader endpoint, custom endpoints

🚨 RDS Multi-AZ standby is NOT a read replica — it doesn't serve traffic until failover. To offload reads, you need a separate Read Replica.

DynamoDB Resilience

Global Tables — multi-region, multi-active replication. Automatically resolves write conflicts with last-writer-wins.
Point-in-Time Recovery (PITR) — restore table to any second in last 35 days
On-Demand mode — scales instantly for unpredictable traffic, pay per request
Provisioned mode — set RCU/WCU in advance. Use Auto Scaling. Cheaper for predictable workloads.
Streams — ordered log of changes. Trigger Lambda for event-driven processing.

Decoupling with Messaging

SQS — Simple Queue Service

Pull-based. Consumers poll the queue.
Standard — at-least-once, best-effort ordering, unlimited throughput
FIFO — exactly-once, strict ordering, 3,000 msgs/sec with batching
Visibility timeout — hides message while being processed (default 30s). Extend if processing takes longer.
DLQ (Dead Letter Queue) — receives messages that fail processing after max retries
Retention: 1 min to 14 days (default 4 days)
Max message size: 256 KB

SNS vs EventBridge

SNS — push-based pub/sub. 1 topic → many subscribers (SQS, Lambda, email, HTTP). Fan-out pattern.
SNS FIFO — strictly ordered, deduplication, SQS FIFO subscribers only
EventBridge — event bus. Rules filter and route events to targets. Supports SaaS sources (Zendesk, Datadog). More powerful than SNS for complex routing.
Fan-out pattern: SNS → multiple SQS queues → separate Lambda functions. Each queue processes independently.

🎯 "Decouple application tiers so slow consumer doesn't affect producer" → SQS between them. "Notify multiple services of one event" → SNS fan-out to SQS queues.

S3 Resilience

11 nines (99.999999999%) durability — 3 AZ replication by default
Versioning — keeps all object versions. Enables recovery from accidental deletes.
MFA Delete — requires MFA to permanently delete versions (enable via CLI only)
Cross-Region Replication (CRR) — async replication to another region. Requires versioning on both buckets. For compliance, lower latency access, DR.
Same-Region Replication (SRR) — replication within same region. For log aggregation, live replication between prod and test.
Replication does NOT replicate existing objects — only new objects after replication is configured

🚨 CRR + KMS encryption trap: If source objects are encrypted with a customer-managed KMS key, replication will fail unless you grant the replication IAM role permission to kms:Decrypt on the source key AND kms:Encrypt on the destination region's KMS key. AWS Multi-Region Keys (MRK) share key material across regions and simplify this.

Storage Gateway — Hybrid Architecture

Type	Protocol	Data Location	Use Case
S3 File Gateway	NFS / SMB	S3 (local cache for hot data)	On-prem apps need file share backed by S3. Migrate file-based workloads to cloud storage.
Volume Gateway — Cached	iSCSI block	Primary in S3, frequently accessed cached locally	Extend on-prem storage to S3. Access from any application using block storage.
Volume Gateway — Stored	iSCSI block	Primary on-prem, async backup to S3 as EBS snapshots	Keep full dataset on-prem with cloud backup. Low latency for all access.
Tape Gateway	iSCSI VTL	Virtual tapes in S3 / Glacier	Replace physical tape backup infrastructure. Existing backup software unchanged.

🎯 "On-prem app needs to store files in S3 without code changes" → S3 File Gateway. "Replace tape library for compliance archives" → Tape Gateway. "Keep all data locally but back up to AWS" → Volume Gateway Stored mode.

🧠 Domain 2 Practice Quiz

20 randomized scenario-based questions. Submit to reveal your score and explanations.

24%

Domain 3: Design High-Performing Architectures

~16 questions · Compute, storage, caching, databases, networking, serverless

EC2 Instance Selection

Family	Optimized For	Examples	Use Case
General Purpose (M, T)	Balanced CPU/memory	m6i, t3	Web servers, small DBs. T = burstable.
Compute Optimized (C)	High CPU-to-memory ratio	c6i, c7g	Batch, HPC, gaming, ML inference
Memory Optimized (R, X, z)	Large RAM	r6i, x2idn	In-memory DBs, SAP HANA, Redis
Storage Optimized (I, D, H)	High IOPS or throughput	i4i, d3	NoSQL, data warehousing, Hadoop
Accelerated (P, G, Inf)	GPU / ML chips	p4d, g5, inf2	ML training, rendering, video encoding

EC2 Placement Groups

Cluster

All instances in same AZ, physically close
10 Gbps network between instances
Risk: AZ failure takes all instances
Use for: HPC, big data, low-latency tightly coupled workloads

Spread

Each instance on separate hardware rack
Max 7 instances per AZ per group
Lowest risk of simultaneous failure
Use for: critical instances that must not fail together

Partition

Groups of instances on separate racks (partitions)
Up to 7 partitions per AZ, hundreds of instances
Instances in same partition share rack
Use for: Hadoop, Cassandra, Kafka — rack-aware apps

EC2 Network Interfaces — ENA vs EFA

ENA — Elastic Network Adapter

Standard enhanced networking — up to 100 Gbps
Enabled by default on most modern instance types (C5, M5, R5, etc.)
Best for: high-throughput traditional workloads, web servers, databases
Uses standard TCP/IP networking stack (OS kernel involved)

EFA — Elastic Fabric Adapter

Adds OS-bypass capability for node-to-node communication — bypasses the OS kernel
Dramatically lower latency, higher throughput for inter-node traffic
Required for: tightly coupled HPC workloads using MPI (Message Passing Interface) and distributed ML training
EFA includes all ENA capabilities — it's a superset
Supported on specific instance types (C5n, P4d, Hpc6a, etc.)

🎯 "Lowest latency node-to-node communication for HPC cluster running MPI" → EFA. "General enhanced networking up to 100 Gbps" → ENA.

EBS Volume Types

Type	Use Case	IOPS	Throughput
gp3 (SSD)	Most workloads, OS volumes	Up to 16,000 (configurable)	Up to 1,000 MiB/s
gp2 (SSD)	Legacy general purpose	Up to 16,000 (3 IOPS/GB)	250 MiB/s
io2 Block Express	Critical DBs, sub-ms latency	Up to 256,000	4,000 MiB/s
io1 (SSD)	I/O intensive DBs	Up to 64,000	1,000 MiB/s
st1 (HDD)	Big data, log processing (sequential)	N/A	Up to 500 MiB/s
sc1 (HDD)	Cold data, infrequent access	N/A	Up to 250 MiB/s

🎯 "Highest IOPS" → io2/io1 provisioned IOPS SSD. "Throughput for sequential reads" → st1. "Cannot be boot volume" → st1, sc1 (HDD types).

EBS vs EFS vs S3 vs FSx

Service	Protocol	Access	Best For
EBS	Block storage	Single EC2 (io1/io2 multi-attach limited)	OS volumes, databases, single-instance storage
EFS	NFS (Linux only)	Thousands of EC2 across AZs	Shared file system, CMS, home directories
S3	Object (HTTP API)	Anything with internet or VPC endpoint	Backups, static assets, data lake, archives
FSx for Windows	SMB	Windows EC2, on-prem via DFS	Windows file shares, Active Directory integration
FSx for Lustre	Lustre (parallel)	HPC compute clusters	ML training, genomics, financial modeling

🎯 "Multiple EC2 instances need shared file system on Linux" → EFS. "Windows file share with AD integration" → FSx for Windows. "Highest performance HPC shared storage" → FSx for Lustre.

S3 Performance Optimization

Multipart upload — required above 5 GB, recommended above 100 MB. Parallel upload parts = faster.
Byte-range fetches — download specific bytes in parallel. Improves download speed and allows failure recovery.
S3 Transfer Acceleration — routes uploads through CloudFront edge locations to AWS backbone. Helps with long-distance transfers.
S3 Select — retrieve subset of data from CSV/JSON/Parquet using SQL. Reduces data transferred.
S3 supports 3,500 PUT/COPY/POST/DELETE and 5,500 GET/HEAD requests per second per prefix
Use random prefixes (hash) to spread across prefixes if you exceed these — no longer needed since 2018 update (all prefix partitions auto-scale)

Caching

ElastiCache: Redis vs Memcached

	Redis	Memcached
Data structures	Rich (lists, sets, sorted sets, hashes)	Simple key-value only
Persistence	✅ (AOF, RDB snapshots)	❌
Multi-AZ / failover	✅	❌
Pub/Sub	✅	❌
Multi-threaded	Limited	✅ Better for scale-out
Leaderboards / sessions	✅ Sorted sets	❌

CloudFront Caching

CDN — caches content at 450+ edge locations globally
Cache behaviors — different TTLs/origins per path pattern
Origin Shield — centralized caching layer in front of origin. Reduces origin load.
Invalidations — purge cached files (first 1,000 paths/month free)
Signed URLs — single file access control. Signed Cookies — multiple files.
Lambda@Edge — run code at edge (viewer request/response, origin request/response)

🎯 "Reduce read load on RDS" → ElastiCache (Redis or Memcached) in front of DB. "Reduce latency for global users accessing static content" → CloudFront. "Real-time leaderboard" → ElastiCache Redis sorted sets.

DynamoDB Performance

DAX (DynamoDB Accelerator) — in-memory cache for DynamoDB. Microsecond reads. API-compatible — no app changes needed. Ideal for read-heavy, repeated queries.
Partition key design — choose high-cardinality partition key to distribute data evenly. Poor key → hot partition → throttling.
On-Demand: good for unpredictable spikes. Provisioned + Auto Scaling: predictable, cheaper.
Global Secondary Index (GSI) — query on non-primary key attributes. Different partition + sort key. Has its own capacity.
Local Secondary Index (LSI) — same partition key, different sort key. Must be created at table creation time.

🚨 DAX caches reads, not writes. If your app is write-heavy, DAX won't help. Also: DAX is for DynamoDB only — not for RDS (use ElastiCache instead).

Global Networking

Global Accelerator

2 static anycast IPs (whitelistable). Routes users to nearest AWS edge.
Traffic travels AWS backbone — not public internet — from edge to origin
Works with ALB, NLB, EC2, Elastic IPs
Health checks + instant failover (sub-30s)
Best for: TCP/UDP apps, gaming, VoIP, APIs needing static IPs

Global Accelerator vs CloudFront

Both use AWS edge locations and global backbone
CloudFront — caches content at edge. HTTP only. Best for static/cacheable content.
Global Accelerator — no caching. Any TCP/UDP. Routes to origin. Best for dynamic content, non-HTTP, fixed IPs.

Kinesis

Data Streams

Real-time streaming, millisecond latency
Ordered within shard, replay-able (up to 365 days)
You manage shards (capacity planning)
Multiple consumers possible simultaneously
Use for: real-time analytics, event sourcing

Data Firehose

Near real-time delivery (60s batch or 1 MB buffer)
Fully managed — no shards to manage
Destinations: S3, Redshift, OpenSearch, Splunk
Can transform data with Lambda
Use for: log delivery to S3, analytics pipelines

Data Analytics

Run SQL queries on streaming data in real-time
Source: Data Streams or Firehose
Output: Data Streams, Firehose, Lambda
Use for: real-time dashboards, anomaly detection

Serverless Analytics — Athena & Redshift Spectrum

Amazon Athena

Serverless interactive query service — analyze data directly in S3 using standard SQL
No infrastructure to provision or manage. Pay per query ($5/TB scanned).
Supports: CSV, JSON, Parquet, ORC, Avro. Use columnar formats (Parquet/ORC) + partitioning to reduce cost.
Works with AWS Glue Data Catalog as the metadata/schema layer
Use for: ad-hoc queries on S3 data lake, log analysis (CloudTrail, ALB logs, VPC Flow Logs), one-time analysis

Redshift Spectrum

Extends an existing Amazon Redshift cluster to query data in S3 without loading it first
Runs queries against exabytes of unstructured data in S3 — no ETL required
Requires an existing Redshift cluster (not serverless by itself)
Use for: joining S3 data lake with Redshift warehouse tables, running complex analytics across hot (Redshift) + cold (S3) data

🎯 "Query S3 data with SQL, no infrastructure" → Athena. "Join S3 data with existing Redshift tables" → Redshift Spectrum. "Reduce Athena query cost" → convert to Parquet/ORC and partition by date.

Serverless & Containers

Lambda

Max execution: 15 minutes. Memory: 128 MB – 10 GB. Ephemeral storage: up to 10 GB (/tmp).
Reserved concurrency — caps max concurrent executions for a function
Provisioned concurrency — pre-warms instances to eliminate cold starts
Triggered by: API Gateway, ALB, SQS, SNS, S3, DynamoDB Streams, EventBridge, Kinesis
VPC Lambda: needs NAT Gateway to access internet. Uses ENIs — takes a few seconds to initialize (improved with Hyperplane ENIs)

ECS / EKS / Fargate

ECS — AWS container orchestration. EC2 launch type (you manage) or Fargate (serverless).
EKS — managed Kubernetes. More control, more complexity. Also supports Fargate.
Fargate — no EC2 to manage. Pay per vCPU/memory per second. Right-size per task.
ECR — Elastic Container Registry. Stores Docker images. Integrates with ECS/EKS/Lambda.
ECS task role — IAM role attached to individual tasks (not the EC2 host)

🎯 "No servers, short-running tasks" → Lambda. "Long-running containers without managing EC2" → ECS/EKS on Fargate. "Need Kubernetes" → EKS.

🧠 Domain 3 Practice Quiz

20 randomized scenario-based questions. Submit to reveal your score and explanations.

20%

Domain 4: Design Cost-Optimized Architectures

~13 questions · EC2 pricing, S3 tiers, serverless, cost tools, right-sizing

EC2 Pricing Models

Model	Discount vs On-Demand	Commitment	Best For
On-Demand	0%	None	Short-term, unpredictable, dev/test
Reserved Instances (Standard)	Up to 72%	1 or 3 years	Steady-state, known instance type/region
Reserved Instances (Convertible)	Up to 54%	1 or 3 years	Steady-state but may need flexibility on type
Savings Plans (Compute)	Up to 66%	1 or 3 years ($/hr commitment)	Flexible: any instance family, region, OS, Fargate, Lambda
Savings Plans (EC2 Instance)	Up to 72%	1 or 3 years (family + region commitment)	Specific instance family in a region
Spot Instances	Up to 90%	None (AWS can reclaim with 2-min notice)	Fault-tolerant, batch, stateless, flexible
Dedicated Hosts	Varies (can use RIs)	On-Demand or Reserved	Compliance, licensing (BYOL), per-socket/core licensing

🎯 "Reduce cost for predictable workload" → Reserved Instances or Savings Plans. "Lowest cost for fault-tolerant batch jobs" → Spot Instances. "Compliance requires dedicated physical server" → Dedicated Hosts.

🚨 Spot Instances can be interrupted with 2-minute warning. Never use for: databases, stateful apps, jobs that can't tolerate interruption without handling it. Use Spot + On-Demand mix (Spot Fleet / EC2 Fleet) for resilience.

S3 Storage Classes

Class	Access Pattern	Retrieval Time	Min Storage Duration	Note
S3 Standard	Frequent	Milliseconds	None	Default. 3 AZ. Highest cost.
S3 Intelligent-Tiering	Unknown/changing	Milliseconds	None	Auto-moves between tiers. Small monitoring fee.
S3 Standard-IA	Infrequent, but fast when needed	Milliseconds	30 days	Retrieval fee. 3 AZ. Good for backups.
S3 One Zone-IA	Infrequent, non-critical	Milliseconds	30 days	Single AZ. 20% cheaper than Standard-IA. Risk of AZ loss.
Glacier Instant Retrieval	Rare, but needs instant access	Milliseconds	90 days	Archives with ms access. Lowest cost with instant retrieval.
Glacier Flexible Retrieval	Rare	1–12 hours (Bulk: free)	90 days	Formerly just "Glacier". Expedited: 1-5 min (fee).
Glacier Deep Archive	Rarely/never	12–48 hours	180 days	Cheapest storage. Compliance archives.

🎯 "Unknown access patterns" → Intelligent-Tiering. "Compliance archives accessed once a year" → Glacier Deep Archive. "Backup data accessed monthly" → Standard-IA. "Video archive but needs immediate access when requested" → Glacier Instant Retrieval.

S3 Lifecycle Policies

Automate transitions between storage classes and deletions
Example: Standard → Standard-IA after 30 days → Glacier after 90 days → delete after 365 days
Apply to current versions, non-current versions (versioned buckets), incomplete multipart uploads
Use lifecycle rules to automatically clean up incomplete multipart uploads (cost savings)

Cost Optimization for Compute

Right-Sizing

AWS Compute Optimizer — ML-based recommendations for EC2, EBS, Lambda, ECS. Analyzes actual utilization over 14 days.
Trusted Advisor — identifies idle/underutilized instances, low-utilization load balancers
Downsize over-provisioned instances. Upgrade instance family for better price/performance ratio.
ARM-based (Graviton) instances: up to 40% better price/performance for many workloads

Serverless Cost Model

Lambda — pay per invocation + duration (ms). Free tier: 1M requests/month forever.
Fargate — pay per vCPU and memory per second. No idle EC2 cost.
DynamoDB on-demand — pay per read/write request. No capacity planning.
Serverless is cheapest for variable/spiky workloads. Reserved EC2 beats Lambda for constant high-throughput.

Data Transfer Cost Optimization

Inbound data transfer — always free (into AWS)
Outbound to internet — charged per GB. Use CloudFront to reduce direct S3/EC2 egress charges.
Cross-AZ data transfer — $0.01/GB each way. Keep traffic within same AZ when possible for latency-sensitive apps.
Cross-region — charged (varies by region pair)
VPC endpoints — eliminate NAT Gateway data processing costs for S3/DynamoDB traffic (Gateway endpoints are free)
NAT Gateway: $0.045/GB processed. High-volume private → internet traffic? Consider NAT Instance instead.

💚 Use S3 Gateway Endpoints (free) to avoid NAT Gateway charges for EC2-to-S3 traffic. This is one of the most overlooked cost savings.

Cost Management Tools

Cost Explorer

Visualize spending over time
Filter by service, account, tag, region
RI recommendations built in
12-month forecast

AWS Budgets

Set cost, usage, reservation, or Savings Plans budgets
Alert when actual or forecasted spend exceeds threshold
Email, SNS, or Chatbot notifications
First 2 budgets free

Trusted Advisor

Cost, performance, security, fault tolerance, service limits
Basic (free): 7 core checks
Business/Enterprise support: all checks + API
Flags idle resources, unused EIPs, low-utilization EC2

🎯 "Alert when monthly bill exceeds $500" → AWS Budgets. "Analyze where money was spent last 6 months" → Cost Explorer. "Find unused resources automatically" → Trusted Advisor.

Reserved Instances vs Savings Plans

	Standard Reserved Instances	Compute Savings Plans
Flexibility	Locked to instance type, region, OS	Any instance family, region, OS, Fargate, Lambda
Max discount	72%	66%
Marketable?	✅ (Reserved Instance Marketplace)	❌
Applies to Fargate/Lambda	❌	✅
Commitment	Instance type locked in	$/hour spend locked in

🎯 "Maximum flexibility with commitment discount" → Compute Savings Plans. "Maximum discount, stable single instance type workload" → Standard Reserved Instances. "Also cover Lambda and Fargate" → Compute Savings Plans only.

Auto Scaling for Cost

Scale down during off-peak hours with scheduled scaling (e.g., reduce to 2 instances at night)
Target tracking on CPU or custom metric — pays only for what you need
Spot Fleet — mix of Spot + On-Demand. Define target capacity. AWS replaces interrupted Spot instances automatically.
Use instance weighting in Spot Fleet to mix instance types by vCPU/memory units
For batch jobs: process during off-peak with Spot → drain queue → scale to 0

🧠 Domain 4 Practice Quiz

20 randomized scenario-based questions. Submit to reveal your score and explanations.