Back to SAA-C03 Catalog
Exam Prep

Ultimate SAA-C03 Revision Cheatsheet

"Complete revision guide covering every service and concept for the AWS Solutions Architect Associate exam."

AWS Solutions Architect Associate (SAA-C03) - Ultimate Revision Cheatsheet

Exam Domains:

  • Domain 1: Design Secure Architectures (30%)
  • Domain 2: Design Resilient Architectures (26%)
  • Domain 3: Design High-Performing Architectures (24%)
  • Domain 4: Design Cost-Optimized Architectures (20%)

🔐 DOMAIN 1: DESIGN SECURE ARCHITECTURES (30%)

1.1 Identity and Access Management (IAM)

IAM Core Concepts

ComponentDescriptionExam Focus
UsersIndividual identities with credentialsLong-term credentials, access keys
GroupsCollection of users (cannot be nested)Simplify permission management
RolesTemporary credentials for services/usersCross-account, EC2 instance profiles
PoliciesJSON documents defining permissionsIdentity vs Resource-based policies

IAM Policy Types

Policy TypeAttached ToUse Case
Identity-basedUsers, Groups, RolesGrant permissions to principals
Resource-basedResources (S3, SQS, etc.)Cross-account access, no trust relationship needed
Permission BoundaryUsers, RolesMaximum permissions limit (guardrails)
SCPsAWS Organizations OUs/AccountsOrganization-wide restrictions
Session PoliciesAssumeRole sessionsFurther restrict role permissions

IAM Best Practices

✅ Enable MFA for all users (especially root)

✅ Use roles instead of long-term access keys

✅ Follow least privilege principle

✅ Use groups to assign permissions

✅ Never share credentials

✅ Rotate access keys regularly

✅ Use IAM Access Analyzer to find external access

Critical IAM Limits

LimitValue
Users per account5,000
Groups per account300
Roles per account1,000
Managed policies per account1,500
Policies attached to user/role10
Policy size (managed)6,144 characters
Access keys per user2

1.2 AWS Organizations & Multi-Account

Service Control Policies (SCPs) Hierarchy

📦 Management Account (SCPs don't affect root user here)

↓ SCP Applied

📁 Production OU → SCP: Deny region changes

  • 📄 Account A → Effective: SCP ∩ IAM
  • 📄 Account B → Effective: SCP ∩ IAM

📁 Development OU → SCP: Allow more services

  • 📄 Account C → Effective: SCP ∩ IAM

Key Points:

  • SCPs don't grant permissions, only restrict
  • Effective permissions = SCP ∩ IAM policies
  • SCPs affect all users in the account (including root)
  • SCPs do NOT affect the management account

AWS Control Tower

FeatureDescription
Landing ZonePre-configured multi-account environment
GuardrailsPreventive (SCPs) and Detective (Config rules)
Account FactoryAutomated account provisioning
DashboardCompliance visibility across accounts

1.3 Encryption & Key Management

AWS KMS (Key Management Service)

Key TypeDescriptionControl
AWS Managed KeysCreated by AWS services (e.g., aws/s3)No control, auto-rotation
Customer Managed Keys (CMK)You create and manageFull control, policies, rotation
AWS Owned KeysUsed by AWS internallyNo visibility or control

Envelope Encryption

🔐 AWS KMS

Contains: Customer Master Key (CMK) (Never leaves KMS unencrypted)

Encrypts

🔑 Data Encryption Key (DEK) (Encrypted DEK stored with data)

Encrypts

📄 Your Data (Encrypted)

AWS CloudHSM

FeatureKMSCloudHSM
TenancyMulti-tenantSingle-tenant (dedicated)
ComplianceFIPS 140-2 Level 2FIPS 140-2 Level 3
Key ControlAWS manages HSMYou manage HSM
Integration100+ AWS servicesCustom apps, Oracle TDE
CostPer key + API calls$1.60/hour per HSM

Use CloudHSM when: FIPS 140-2 Level 3, Oracle TDE, custom key management, regulatory requirements

S3 Encryption Options

MethodKey ManagementUse Case
SSE-S3AWS manages keysDefault, simplest
SSE-KMSKMS keysAudit trail, key control
SSE-CCustomer provides keysBring your own keys
Client-sideClient encryptsFull control, encrypt before upload

1.4 Network Security

Security Groups vs NACLs

FeatureSecurity GroupNetwork ACL
LevelInstance (ENI)Subnet
StateStatefulStateless
RulesAllow onlyAllow AND Deny
EvaluationAll rules evaluatedFirst match wins
DefaultDeny all inboundAllow all in/out
Use CaseApp-tier isolationBlock specific IPs

VPC Security Architecture

🌐 VPC

Public Subnet (10.0.1.0/24)

  • 🖥️ Bastion Host → NACL: Allow SSH from Corp, SG: Allow SSH from Corp IP
  • 🌉 NAT Gateway → For private subnet internet access

Private Subnet (10.0.2.0/24)

  • 🖥️ App Server → SG: Allow from ALB SG only
  • 🗄️ DB Server → SG: Allow from App SG only, NACL: Deny all from Internet

AWS WAF, Shield & Firewall Manager

ServiceProtectionKey Feature
AWS WAFLayer 7 (HTTP/S)SQL injection, XSS, rate limiting
AWS Shield StandardDDoS (Layer 3/4)Free, automatic
AWS Shield AdvancedDDoS + support$3K/month, DDoS Response Team
AWS Firewall ManagerCentralizedMulti-account policy management

WAF Integration Points: CloudFront, ALB, API Gateway, AppSync

1.5 Data Protection Services

Amazon Macie

  • Purpose: Discover and protect sensitive data in S3
  • Detection: PII, credentials, financial data using ML
  • Use Cases: GDPR compliance, find exposed secrets

Amazon GuardDuty

  • Purpose: Threat detection (malicious activity)
  • Analyzes: VPC Flow Logs, CloudTrail, DNS logs
  • Detects: Crypto mining, compromised instances, unusual API calls

Amazon Inspector

  • Purpose: Vulnerability scanning
  • Scans: EC2 instances, ECR images, Lambda functions
  • Detects: CVEs, network exposure, CIS benchmarks

AWS Secrets Manager

  • Purpose: Store and auto-rotate secrets
  • Features: Automatic rotation for RDS, Redshift, DocumentDB
  • Cost: $0.40/secret/month

SSM Parameter Store

  • Purpose: Store configuration and secrets (cheaper)
  • Features: Free tier, versioning, encryption with KMS
  • Limitation: No automatic rotation

1.6 Logging & Auditing

AWS CloudTrail

FeatureDescription
PurposeAPI audit trail ("who did what, when")
EventsManagement events (control plane), Data events (data plane)
Retention90 days in console, S3 for long-term
Multi-regionSingle trail can cover all regions
Use CasesSecurity analysis, compliance, forensics

AWS Config

FeatureDescription
PurposeResource configuration tracking and compliance
RulesManaged or custom (Lambda) compliance rules
RemediationAutomatic remediation with SSM Automation
Use CasesDrift detection, compliance, inventory

Amazon CloudWatch

ComponentPurpose
MetricsPerformance monitoring (CPU, network, custom)
LogsLog aggregation and analysis
AlarmsAlerting based on thresholds
Events/EventBridgeEvent routing and automation
DashboardsVisualization

🔄 DOMAIN 2: DESIGN RESILIENT ARCHITECTURES (26%)

2.1 Compute Resilience

EC2 Placement Groups

TypeUse CaseKey Characteristic
ClusterHPC, low latencySame rack, single AZ
SpreadCritical instancesDifferent racks, 7 per AZ
PartitionBig data (Hadoop, Kafka)Partition-aware, 7 partitions/AZ

Auto Scaling Group

⚙️ Auto Scaling Group Configuration

SettingValue
Target TrackingCPU = 40%
Min Capacity2
Desired Capacity4
Max Capacity10

Distribution across AZs:

  • AZ-a: 2 EC2 instances
  • AZ-b: 2 EC2 instances
  • AZ-c: 0 EC2 instances (scales as needed)

Scaling Policies:

  • Target Tracking - Most common, recommended
  • 📊 Step Scaling - Based on CloudWatch alarms
  • 📉 Simple Scaling - Legacy approach
  • 🗓️ Scheduled Scaling - For predictable patterns

Launch Template Components

ComponentPurpose
AMIBase image
Instance TypeSize and family (or multiple for mixed)
Key PairSSH access
Security GroupsFirewall rules
EBS VolumesStorage configuration
User DataBootstrapping script
IAM RoleInstance profile

2.2 Database Resilience

RDS High Availability

FeatureMulti-AZRead Replicas
PurposeHA and DRRead scaling
ReplicationSynchronousAsynchronous
FailoverAutomatic (60-120s)Manual promotion
AccessibilityStandby NOT accessibleReplicas serve reads
RegionSame region onlySame or cross-region
Cost2x instance costPer replica

Aurora Architecture

🌟 Aurora Cluster

Endpoints:

  • ✏️ Writer Endpoint → Points to Primary Instance
  • 📖 Reader Endpoint → Load balances across replicas

Instances across AZs:

AZ-aAZ-bAZ-c
PrimaryReplicaReplica

Shared Storage Layer:

  • 📀 6 copies across 3 AZs
  • 📈 Auto-scales: 10 GB → 128 TiB

Aurora Key Numbers:

  • 15 read replicas (vs 5 for RDS)
  • <30 seconds failover
  • 5x faster than MySQL, 3x faster than PostgreSQL
  • 6 copies across 3 AZs
  • Auto-scaling storage (10GB to 128TiB)

Aurora Global Database

FeatureValue
Cross-region replication<1 second lag
Secondary regionsUp to 5
RTO<1 minute
Read replicas per region16

2.3 Storage Resilience

S3 Durability & Availability

Storage ClassDurabilityAvailabilityAZs
S3 Standard11 9s99.99%≥3
S3 Standard-IA11 9s99.9%≥3
S3 One Zone-IA11 9s99.5%1
S3 Glacier Instant11 9s99.9%≥3
S3 Glacier Flexible11 9s99.99%≥3
S3 Glacier Deep Archive11 9s99.99%≥3

S3 Replication

TypeUse Case
CRR (Cross-Region)DR, compliance, lower latency
SRR (Same-Region)Log aggregation, prod/test sync

Requirements:

  • Versioning enabled on BOTH buckets
  • IAM role for replication
  • Objects encrypted with SSE-S3 or SSE-KMS (with key policy)

EBS Resilience

FeatureDescription
ReplicationWithin single AZ
SnapshotsPoint-in-time backup to S3
Multi-Attachio1/io2 only, up to 16 instances
EncryptionAt rest with KMS

2.4 Backup Strategies

AWS Backup

  • Purpose: Centralized, policy-based backup across services
  • Supported: EBS, RDS, DynamoDB, EFS, FSx, Storage Gateway, S3
  • Features: Cross-region, cross-account, compliance reports

Disaster Recovery Strategies

StrategyRTORPOCost
Backup & RestoreHoursHours$
Pilot Light10s of minutesMinutes$$
Warm StandbyMinutesSeconds$$$
Multi-Site/HotReal-timeNear-zero$$$$

DR Strategy Progression (Cost & Speed →)

1️⃣ Backup & Restore - Data backed up only, slowest recovery

2️⃣ Pilot Light - Core services running (minimal)

3️⃣ Warm Standby - Scaled-down version running

4️⃣ Multi-Site Active/Active - Fully running in DR

2.5 Decoupling & Messaging

Amazon SQS

FeatureStandardFIFO
OrderBest-effortStrict FIFO
DeliveryAt-least-onceExactly-once
ThroughputUnlimited3,000 msg/s (batching)
DeduplicationNoBuilt-in
Queue NameAnyMust end in .fifo

Key Limits:

  • Message size: 256 KB
  • Retention: 1 min to 14 days (default 4 days)
  • Visibility timeout: 0s to 12 hours (default 30s)
  • Long polling: 1-20 seconds

Amazon SNS

  • Pattern: Pub/Sub (fan-out)
  • Subscribers: SQS, Lambda, HTTP, Email, SMS
  • Features: Message filtering, FIFO topics

Amazon EventBridge

  • Purpose: Serverless event bus
  • Sources: AWS services, SaaS apps, custom apps
  • Targets: Lambda, Step Functions, SQS, SNS, ECS, etc.
  • Features: Schema registry, content-based filtering, scheduling

Comparison

When to use...Choose...
Queue, async processingSQS
Pub/Sub, multiple subscribersSNS
Event-driven, SaaS integration, schedulingEventBridge
Fan-out to multiple SQS queuesSNS → SQS

⚡ DOMAIN 3: DESIGN HIGH-PERFORMING ARCHITECTURES (24%)

3.1 Compute Performance

EC2 Instance Types

FamilyOptimized ForUse Case
MGeneral purposeWeb servers, small DBs
CComputeCPU-intensive, batch
RMemoryIn-memory DBs, caching
XMemory (extreme)SAP HANA, large in-memory
P, GGPUML training, graphics
I, DStorageData warehousing, HDFS
TBurstableDev/test, variable workloads

Lambda Performance

SettingImpact
Memory128 MB - 10 GB (CPU scales with memory)
TimeoutUp to 15 minutes
Provisioned ConcurrencyEliminates cold starts
Reserved ConcurrencyGuarantees capacity
Container ImagesUp to 10 GB

3.2 Storage Performance

EBS Volume Types Cheat Sheet

TypeMax IOPSMax ThroughputUse Case
gp316,0001,000 MB/sGeneral purpose (default)
gp216,000250 MB/sLegacy general purpose
io2 Block Express256,0004,000 MB/sMission-critical DBs
io1/io264,0001,000 MB/sHigh-performance DBs
st1500500 MB/sBig data, sequential
sc1250250 MB/sCold data, lowest cost

Quick Rule:

  • Need IOPS → SSD (gp3, io2)
  • Need throughput → HDD (st1) or gp3

Instance Store vs EBS

FeatureInstance StoreEBS
PersistenceEphemeralPersistent
PerformanceHighest IOPSHigh IOPS
Data survivesNo (stop/terminate)Yes
SnapshotsNoYes
CostIncludedAdditional

S3 Performance

OptimizationDescription
S3 Transfer AccelerationUses CloudFront edge locations
Multipart UploadRecommended >100 MB, required >5 GB
S3 SelectQuery subset of object
Byte-Range FetchesParallel downloads

S3 Limits:

  • 3,500 PUT/POST/DELETE per prefix/second
  • 5,500 GET/HEAD per prefix/second
  • Use random prefixes to distribute load

EFS Performance Modes

ModeLatencyThroughput
General PurposeLowerGood for most
Max I/OHigherParallel workloads
ElasticAuto-scalesBest for variable

3.3 Database Performance

DynamoDB Performance

FeatureDescription
Read Capacity Unit (RCU)1 strongly consistent read/sec (4 KB)
Write Capacity Unit (WCU)1 write/sec (1 KB)
DAXIn-memory cache (microseconds)
Global TablesMulti-region, active-active

Scaling Modes:

  • On-Demand: Pay per request, auto-scales
  • Provisioned: Set RCU/WCU, with auto-scaling

ElastiCache

FeatureRedisMemcached
PersistenceYesNo
ReplicationYes (Multi-AZ)No
Data StructuresComplexKey-value only
FailoverAutomaticNone
Use CaseSessions, leaderboardsSimple caching

3.4 Networking Performance

Load Balancer Selection

TypeLayerUse Case
ALB7HTTP/S, path routing, microservices
NLB4TCP/UDP, static IP, extreme performance
GWLB3Third-party appliances (IDS/IPS)

CloudFront

FeatureDescription
Edge Locations400+ worldwide
OriginsS3, ALB, EC2, HTTP servers
Cache BehaviorsPath-based routing
Lambda@EdgeCustomize at edge
CloudFront FunctionsLightweight edge compute

Global Accelerator vs CloudFront

FeatureGlobal AcceleratorCloudFront
ProtocolTCP, UDPHTTP, HTTPS
IPs2 static anycast IPsDynamic
CachingNoYes
Use CaseGaming, IoT, VoIPWeb content, streaming

3.5 Data Analytics Performance

Kinesis Family

ServiceUse Case
Data StreamsReal-time (<1s), custom consumers
Data FirehoseNear real-time (60s+), auto-delivery to S3/Redshift
Data AnalyticsSQL on streaming data
Video StreamsVideo ingestion

Analytics Services Comparison

ServiceUse CaseData Location
RedshiftData warehouse, complex queriesData loaded into cluster
AthenaServerless, ad-hoc S3 queriesQuery S3 directly
EMRBig data (Spark, Hadoop)S3, HDFS
QuickSightBI dashboardsVarious sources
GlueServerless ETLS3, databases

💰 DOMAIN 4: DESIGN COST-OPTIMIZED ARCHITECTURES (20%)

4.1 EC2 Pricing Models

Comparison

ModelDiscountCommitmentUse Case
On-Demand0%NoneShort-term, unpredictable
Reserved (1yr)~36%Instance typeSteady-state
Reserved (3yr)~60%Instance typeLong-running
Savings PlansUp to 72%$/hourFlexible compute
SpotUp to 90%NoneFault-tolerant, batch
Dedicated HostVariesPhysical serverLicensing, compliance

Spot Fleet Strategies

StrategyDescription
diversifiedSpread across pools (resilience)
lowestPriceCheapest pools first
capacityOptimizedMost available capacity
capacityOptimizedPrioritizedCapacity + priority

Interruption Handling:

  • ⚠️ 2-minute warning before termination
  • 📡 Use Spot interruption notice from metadata
  • 💾 Checkpointing for long-running jobs

Reserved Instance Types

TypeFlexibilityDiscount
Standard RIFixed (instance type, region)Highest
Convertible RICan change family, OS, tenancyLower
Scheduled RISpecific time windowsModerate

4.2 Storage Cost Optimization

S3 Storage Classes (Cost Order: Expensive → Cheap)

ClassCostAccess Pattern
💰💰💰 S3 StandardHighestFrequent access
💰💰 S3 Standard-IAMediumInfrequent, immediate
💰💰 S3 One Zone-IAMedium-LowInfrequent, recreatable
💰 S3 Glacier InstantLowRare, immediate
💰 S3 Glacier FlexibleLower1-5 min to 12 hrs
✨ S3 Glacier Deep ArchiveLowest12-48 hours

S3 Lifecycle Rules Example

Sample Lifecycle Policy:

  • Day 0-29: S3 Standard
  • Day 30: → Transition to Standard-IA
  • Day 90: → Transition to Glacier
  • Day 180: → Transition to Deep Archive
  • Day 365: → Expire/Delete

S3 Intelligent-Tiering

  • Purpose: Automatic cost optimization for unknown access patterns
  • Tiers: Frequent, Infrequent (30 days), Archive (90 days), Deep Archive (180 days)
  • Cost: Small monthly monitoring fee per object
  • Best for: Unpredictable access patterns

EBS Cost Optimization

StrategyDescription
gp3 over gp2Lower cost for same performance
SnapshotsDelete unneeded, use incremental
Delete on terminationEnable for temporary volumes
Right-size volumesMonitor and resize

4.3 Database Cost Optimization

RDS Cost Strategies

StrategyDescription
Reserved InstancesUp to 70% savings for 1-3 year
Right-sizingUse Performance Insights
Aurora ServerlessVariable workloads
Stop unusedDev/test instances
Storage optimizationUse gp3, delete old snapshots

DynamoDB Cost Strategies

StrategyDescription
On-DemandUnpredictable workloads
Provisioned + Auto ScalingSteady with bursts
Reserved CapacityVery predictable
TTLAuto-delete expired items

4.4 Data Transfer Costs

Free Data Transfer

  • Into AWS: Always free
  • Same AZ: Free (using private IP)
  • VPC Peering (same AZ): Free

Charged Data Transfer

  • Different AZ: $0.01/GB each way
  • Different Region: $0.02/GB (varies by region)
  • To Internet: $0.09/GB first 10TB (tiered)

Cost Optimization Tips

✅ Use VPC endpoints (avoid NAT Gateway charges for S3/DynamoDB)

✅ Use S3 Transfer Acceleration wisely (data transfer + acceleration fee)

✅ Compress data before transfer

✅ Keep resources in same AZ when possible

✅ Use CloudFront for frequently accessed content

4.5 Cost Management Tools

ToolPurpose
AWS Cost ExplorerVisualize spending, forecasts
AWS BudgetsSet alerts for spending/usage
Cost Allocation TagsTrack costs by project/team
AWS Trusted AdvisorCost optimization recommendations
Compute OptimizerRight-sizing recommendations
Savings PlansFlexible compute discounts

🔧 KEY AWS SERVICES REFERENCE

Compute Services

ServiceTypeUse Case
EC2IaaSFull control VMs
LambdaServerlessEvent-driven, <15 min
ECSContainersDocker on AWS
EKSKubernetesKubernetes on AWS
FargateServerless containersNo EC2 management
Elastic BeanstalkPaaSDeploy apps easily
LightsailSimple VPSSimple workloads
BatchBatch computingScheduled jobs
OutpostsHybridAWS on-prem

Storage Services

ServiceTypeUse Case
S3ObjectUnlimited scalable storage
EBSBlockEC2 persistent volumes
EFSFile (NFS)Shared Linux file system
FSx WindowsFile (SMB)Windows file shares
FSx LustreFile (HPC)High-performance computing
Storage GatewayHybridOn-prem to cloud
Snow FamilyEdge/TransferOffline data transfer

Database Services

ServiceTypeUse Case
RDSRelationalMySQL, PostgreSQL, etc.
AuroraRelationalHigh-performance RDS
DynamoDBNoSQL (Key-Value)Serverless, milliseconds
ElastiCacheIn-MemoryRedis/Memcached caching
DocumentDBDocumentMongoDB-compatible
NeptuneGraphSocial networks, fraud
TimestreamTime-seriesIoT, monitoring
QLDBLedgerImmutable, verifiable
KeyspacesCassandraCassandra-compatible

Networking Services

ServiceUse Case
VPCIsolated virtual network
SubnetsSegment VPC
Route TablesControl routing
Internet GatewayPublic internet access
NAT GatewayOutbound internet for private subnets
VPNEncrypted connection to on-prem
Direct ConnectDedicated private connection
Transit GatewayHub for connecting VPCs
PrivateLinkPrivate service access
Route 53DNS and routing policies
CloudFrontCDN
Global AcceleratorTCP/UDP acceleration

Application Integration

ServicePatternUse Case
SQSQueueDecoupling, async
SNSPub/SubNotifications, fan-out
EventBridgeEvent BusEvent-driven architecture
Step FunctionsWorkflowOrchestration
AppSyncGraphQLGraphQL APIs
API GatewayREST/WebSocketAPI management

Security Services

ServicePurpose
IAMIdentity and access
CognitoUser authentication
KMSEncryption key management
CloudHSMHardware security modules
Secrets ManagerSecret storage with rotation
Certificate ManagerSSL/TLS certificates
WAFWeb application firewall
ShieldDDoS protection
GuardDutyThreat detection
InspectorVulnerability scanning
MacieS3 sensitive data
Security HubSecurity posture

Migration Services

ServiceUse Case
DMSDatabase migration
SMSServer migration
DataSyncData transfer to AWS
Transfer FamilySFTP, FTPS, FTP
SnowballOffline data transfer
Application DiscoveryDiscover on-prem apps
Migration HubTrack migrations

📊 CRITICAL NUMBERS TO MEMORIZE

S3 Limits

LimitValue
Max object size5 TB
Single PUT5 GB
Multipart required>5 GB
Standard-IA transition30 days
Glacier transition90 days
Deep Archive transition180 days

Lambda Limits

LimitValue
Timeout15 minutes
Memory128 MB - 10 GB
Package (zip)50 MB
Package (unzipped)250 MB
Container image10 GB
Concurrent executions1,000 (default)
Payload (sync)6 MB

SQS Limits

LimitValue
Message size256 KB
Retention1 min - 14 days
Visibility timeout0s - 12 hours
FIFO throughput3,000 msg/s (batching)

Kinesis Limits

LimitValue
Record size1 MB
Shard write1 MB/s or 1,000 records/s
Shard read2 MB/s
Retention24 hours - 365 days
Firehose buffer60 seconds minimum

EBS Limits

LimitValue
Max volume64 TiB
gp3 IOPS16,000
io2 Block Express IOPS256,000
Multi-Attach16 instances

RDS/Aurora

LimitValue
RDS read replicas5
Aurora read replicas15
Aurora failover<30 seconds
Backup retention35 days
Aurora storage128 TiB
Aurora Global DB regions5

DynamoDB

LimitValue
Item size400 KB
GSIs20
LSIs5 (at creation only)
BatchGetItem100 items
BatchWriteItem25 items

VPC

LimitValue
VPCs per region5 (soft)
Subnets per VPC200
CIDR blocks per VPC5
Elastic IPs5 (soft)
Security group rules60/60
NAT Gateway bandwidth45 Gbps

🎯 EXAM DAY QUICK RULES

"If you see... choose..."

Trigger WordAnswer
"Stateful firewall"Security Group
"Block specific IP"NACL
"Static IP for load balancer"NLB
"Path-based routing"ALB
"Third-party firewall inline"GWLB
"Shared Linux file system"EFS
"Windows file shares"FSx for Windows
"HPC file system"FSx for Lustre
"Millisecond latency NoSQL"DynamoDB
"Complex SQL queries"RDS/Aurora
"Up to 15 read replicas"Aurora
"Serverless, event-driven"Lambda
"Kubernetes"EKS
"Docker, AWS-native"ECS
"Serverless containers"Fargate
"Queue, decouple"SQS
"Fan-out, multiple subscribers"SNS
"Event-driven, SaaS"EventBridge
"Real-time streaming"Kinesis Data Streams
"Near real-time to S3"Kinesis Data Firehose
"Serverless SQL on S3"Athena
"Data warehouse"Redshift
"Big data, Spark, Hadoop"EMR
"Auto-rotate secrets"Secrets Manager
"Free secrets/config storage"Parameter Store
"Threat detection"GuardDuty
"Vulnerability scanning"Inspector
"S3 sensitive data"Macie
"FIPS 140-2 Level 3"CloudHSM
"Who did what"CloudTrail
"Config compliance"AWS Config
"Metrics and alarms"CloudWatch
"Centralized logging"CloudWatch Logs
"Cross-region low latency DB"Aurora Global Database
"Active-active multi-region"DynamoDB Global Tables
"Offline data transfer"Snowball
"Hybrid on-prem storage"Storage Gateway
"Private S3/DynamoDB access (free)"Gateway Endpoint
"Private AWS service access"Interface Endpoint
"Dedicated private connection"Direct Connect
"Quick encrypted VPN"Site-to-Site VPN
"CDN, caching"CloudFront
"Static IP, non-HTTP"Global Accelerator
"Low-latency failover routing"Route 53 Failover
"Geographic content"Route 53 Geolocation
"Traffic split A/B test"Route 53 Weighted

✅ FINAL EXAM CHECKLIST

Pre-Exam Review:

  • IAM policies and SCPs understood
  • VPC networking (subnets, routing, NAT, endpoints)
  • Storage selection (S3 classes, EBS types, EFS vs FSx)
  • Database selection (RDS vs Aurora vs DynamoDB)
  • High availability patterns (Multi-AZ, read replicas, ASG)
  • DR strategies (backup/restore, pilot light, warm standby)
  • Messaging patterns (SQS vs SNS vs EventBridge)
  • Serverless patterns (Lambda, API Gateway, DynamoDB)
  • Cost optimization (RIs, Savings Plans, Spot, storage tiering)
  • Encryption (KMS, SSE options, CloudHSM)
  • Critical numbers memorized
  • Quick decision rules reviewed

All the best on your exam! 🚀

Last updated: February 2026

Exam Trigger Words
SWIPE ZONE
< DRAG ME >