AWS Solutions Architect Associate Cheat Sheet

EC2

• Dedicated Instances: No other customers share the hardware. May share hardware with other instances of only your account.
• Dedicated Hosts: Book an entire physical server and have full control of EC2 instance placement.
• Tenancy Changes: You can only change the tenancy of an instance from dedicated to host or vice versa after launch.
• Instance Combo: Use reserved instances for baseline + on-demand & spot for peaks.
• User data: Executed as root by default.

Hibernation

• Saves RAM contents to your Amazon EBS root volume.
  • On start: EBS root volume and RAM contents are restored.
• To use hibernation, the root volume must be an encrypted EBS volume.
• When the instance state is stopping, you will not be billed if it is preparing to stop. However, you will still be billed if it is just preparing to hibernate.

Spot Instances

• Request Types: One-time or persistent.
• Spot Blocks: Defined duration, designed not to be interrupted.
• Instance Termination: Canceling a request does not terminate the instance if it is stopped.

Placement Groups

• Launch Recommendation: Launch all needed instances in a single request, use the same instance type.
• Capacity Errors: Stop and start all instances in the group to migrate to hardware with sufficient capacity.
• Types:
  • Spread: Max 7 running instances per AZ per group. Suitable for critical instances.
  • Cluster: High throughput (up to 10 Gbps TCP/IP), same network segment.
  • Partition: Instances in one partition do not share hardware with other partitions.
• Autoscaling: Lifecycle hooks enable custom actions as the Auto Scaling group launches or terminates instances.

EC2 Autoscaling Lifecycle Hooks

• Lifecycle hooks put the instance into a wait state until the script or timeout period ends.
• With launch templates, you can provision capacity across multiple instance types using both On-Demand Instances and Spot Instances.
• You can put an instance in the InService state into Standby, update software or troubleshoot, then return to service.
• Auto Scaling doesn’t terminate an instance that came into service based on EC2 status checks and ELB health checks until the health check grace period expires.
• Cool down period: Ensures no additional EC2 instances are launched/terminated before previous scaling activity takes effect (default 300s).
• Amazon EC2 Auto Scaling does not immediately terminate instances with an Impaired status.
• By default, Amazon EC2 Auto Scaling doesn’t use ELB health checks unless configured.
• When multiple policies are in force, Auto Scaling chooses the policy that provides the largest capacity for both scale-out and scale-in.
• The default value for instance placement tenancy is null, controlled by the tenancy attribute of the VPC.
• Deleting an EC2 Auto Scaling group (ASG) terminates its instances.
• Rebalancing AZs: Launches new instances before terminating old ones.
• Auto Scaling creates a new scaling activity for terminating the unhealthy instance and then launches a new instance to replace it.

S3

• S3 Standard: No minimum storage duration charge, no retrieval fee.
• Object-level permissions: For actions inside the bucket (e.g., GetObject), add /* after ARN, e.g., arn:aws:s3:::test/*
• Bucket Policies: Grant access to S3 resources within or across AWS accounts.
• S3 Sync Command: Uses CopyObject APIs to copy objects between buckets.
• Replication: Only supports copying new objects after enabled; must enable versioning in source and destination.
• Multipart Upload: Use for objects > 100 MB; max upload per time is 5 GB.
• Read-after-write consistency: Delivered automatically.
• Performance: Parallelize reads with prefixes.
• Versioning: Once enabled, cannot return to unversioned state; can only be suspended.
• Data Transfer: No charge for inbound data; S3TA charges only for accelerated transfers.
• Range Requests: Use Range HTTP header in GET Object to fetch byte ranges.
• Retention: Place retention period on object versions; different versions can have different retention modes/periods.
• Max Object Size: 5 TB.
• Object Ownership: By default, owned by the uploading AWS account; bucket owner must be granted access.
• Object Lock: Store objects as locked (only on versioned buckets).
• Metadata: Not encrypted; avoid storing sensitive info.
• Event Notification Destinations: SQS, Lambda, SNS.
• Website Endpoints:
  • http://bucket-name.s3-website.Region.amazonaws.com
  • http://bucket-name.s3-website-Region.amazonaws.com
• S3 Select: Query subset of object data using SQL (CSV, JSON, Parquet).
• Encryption: Add x-amz-server-side-encryption header to enforce encryption.
• Static Website Hosting: Requires bucket named after domain, registered domain, and Route 53 DNS.
• Server Access Logs: Detailed records for requests to S3 bucket.
• Request Limits: 3,500/sec to add, 5,500/sec to retrieve data.
• Storage Classes: S3 Standard, Intelligent-Tiering, Standard-IA, One Zone-IA.

S3 IA

• S3 One Zone-IA is for data accessed less frequently but requires rapid access.
• Minimum storage duration is 30 days before transitioning objects from S3 Standard to S3 Standard IA or One Zone-IA.

S3 Lifecycle Transitions

• Supported transitions (waterfall model):
  • S3 Standard to any other storage class.
  • Any storage class to S3 Glacier or S3 Glacier Deep Archive.
  • S3 Standard-IA to S3 Intelligent-Tiering or S3 One Zone-IA.
  • S3 Intelligent-Tiering to S3 One Zone-IA.
  • S3 Glacier to S3 Glacier Deep Archive.
• Encrypted objects remain encrypted throughout transitions.

Glacier

• Supports encryption by default for data at rest and in transit.
• Minimum storage duration: 90 days for S3 Glacier, 180 days for S3 Glacier Deep Archive.
• Data can be stored directly in Amazon S3 Glacier Deep Archive.

Snowball & Snowmobile

• Snowball Edge Storage Optimized: 80TB, 40 vCPUs, 1TB SATA SSD, up to 40Gb network.
• Snowball Edge Compute Optimized: 52 vCPUs, 42TB block/object storage, optional GPU.
• Snowmobile: Up to 100PB, for data > 10PB in a single location.

IAM

• Permissions Boundary: Limit max access of users; only for roles or users.
• Policy Evaluation: Explicit deny always wins.
• Role Assumption: Original permissions are replaced by the role's permissions.
• Resource-based Policy: Principal keeps their permissions.
• Policy Condition: aws:RequestedRegion is the target of the API call.
• AMI Sharing: You can share an AMI with another account.
• Trust Policy: Only IAM resource-based policy.
• Certificate Management: Import third-party CA certs into ACM or IAM certificate store.
• Web Identity Federation: Use external IdPs (Amazon, Facebook, Google, OIDC).
• STS: Temporary security credentials for AWS resources.

AWS Organizations

• Does not offer federation capability.
• To migrate an account: remove member, invite to new Org, accept invite.
• SCPs: Central control over max permissions for all accounts; affects all users/roles, including root, but not service-linked roles.

VPC

• VPN Connection: Virtual Private Gateway (AWS) — Customer Gateway (on-premises).
• Cannot have a VPC with only a public subnet and AWS Site-to-Site VPN.
• Private IP Ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
• AWS reserves 5 IPs per subnet.
• Shared Services VPC: Centralized access to shared resources.
• AZ ID: Uniquely identify AZs across accounts.
• Subnet Public IP: Non-default subnets: false; default subnets: true.
• Cannot disable IPv4 support.
• Every subnet is associated with the main route table.
• Allowed Block Size: /16 to /28.
• ENIs: Primary cannot be detached; secondary can be moved.
• Security Groups: Default blocks all access.
• NACLs: Stateless, evaluated by rule number, defined at subnet level.
• CloudHub: Secure communication between sites using AWS VPN CloudHub.
• Direct Connect: Max resilience with separate connections/devices/locations.

Direct Connect

• Dedicated Connection: 1–10 Gbps.
• Hosted Connection: 50Mbps–10Gbps, scalable.
• Data in transit is not encrypted, but private.

Transit Gateway

• Network transit hub for VPCs and on-premises networks.
• Supports ECMP routing over multiple VPN tunnels.

NAT

• NAT Instance: Can be bastion, supports security groups, port-forwarding, must disable source/destination check.
• NAT Gateway: Only for IPv4, in public subnet, specific AZ.
• Egress-only Internet Gateway: NAT for IPv6.

Route53

• Multi-value Routing: Up to 8 healthy records per query.
• External Domain Integration: Update nameservers on registrar.
• Inbound/Outbound Endpoints: For DNS resolution between AWS and on-premises.
• Cannot create CNAME for zone apex; use alias record.
• Alias queries to AWS resources are free; CNAME queries are charged.
• VPC Settings: enableDnsHostnames, enableDnsSupport must be true.
• Failover: Active-active (all resources available), active-passive (primary/secondary standby).

EBS

• Root volume for AMI backed by EBS is deleted on instance termination.
• Encrypted EBS: Data at rest, in transit, snapshots, and volumes from snapshots are encrypted.
• GP2: 1GB–16TB, max 16,000 IOPS.
• io1/io2: 4GB–16TB, max 64,000 IOPS, 50:1 IOPS:GB ratio.
• io2 Block Express: Up to 256,000 IOPS, 1,000:1 IOPS:GiB ratio.
• st1: Max 500 MB/s, 500 IOPS.
• sc1: Max 250 MB/s, 250 IOPS.
• Multi-Attach: Attach io1/io2 to multiple instances in same AZ.
• st1/sc1 cannot be used for boot volumes.
• EBS volumes are locked to AZ; snapshot to move to other AZ.
• Copying unencrypted snapshot allows encryption.
• Copying AMI to another region creates EBS snapshot in new region.
• RAID 0: Performance; RAID 1: Fault tolerance.
• DeleteOnTermination can be set to false for root EBS volume.
• In-progress snapshot not affected by ongoing reads/writes.
• Encryption by Default: Enforces encryption for new volumes/snapshots.
• Amazon EBS does not support asymmetric CMKs.
• Instance Store: Temporary block-level storage, ideal for buffers, caches, scratch data.

EFS

• Control EC2 access with security group rules and IAM policies.
• 1000s of concurrent NFS clients, 10Gbps throughput.
• Use EFS Access Points for application access.
• Max I/O Mode: Higher throughput, higher latency.
• General Purpose Mode: Latency-sensitive use cases.
• Provisioned Throughput Mode: For high throughput/storage ratio.
• Bursting Throughput Mode: Burst to high throughput for periods.
• Higher price than EBS.
• Max days for EFS lifecycle policy: 90.

Amazon FSx for Lustre

• High-performance file system for ML, HPC, video, financial modeling.
• Process hot data in parallel/distributed fashion, store cold data on S3.

RDS

• Multi-AZ synchronous replication; no extra data transfer charges.
• Read replicas: async replication, up to 5, cross-AZ/region.
• Backups every 5min, restore at any point.
• Supports storage autoscaling.
• IAM DB authentication for MySQL/PostgreSQL (token, 15min lifetime).
• Enhanced Monitoring for OS metrics.
• To encrypt unencrypted DB: snapshot, create encrypted copy, restore, terminate previous.
• Engine upgrades require downtime, even with Multi-AZ.
• OS updates: maintenance on standby, promote standby, maintain old primary.
• Max backup retention: 35 days.

Aurora

• Auto-scales up to 128TB per DB instance.
• Aurora cluster: one primary, up to 15 replicas.
• Failover priority for replicas (tier 0–15).
• Aurora Global Database: span multiple regions, sub-second access.
• Storage grows in 10GB increments.
• Multi-master cluster: all DBs can write.
• Endpoints for mapping connections.
• Reader endpoint load-balances among replicas.
• Aurora Serverless auto-recreates DB in different AZ if unavailable.

DynamoDB

• DAX: In-memory cache, up to 10x performance.
• Tables must have provisioned RCU/WRC.
• Streams: Changes streamed to other services, 24h retention.
• Global Tables: Multi-region replication, must enable Streams.
• Query only on primary key, sort key, or indexes.
• All tables encrypted by default under AWS-owned CMK.
• Shard iterator expiration: increase write capacity if needed.

ElastiCache

• Sub-millisecond latency caching.
• Memcached: Multithreaded.
• Redis: HIPAA compliant, supports replication, high availability, cluster sharding.
• Redis AUTH for token/password security.
• IAM Auth not supported.

Redshift

• Spectrum: Query structured/semi-structured data in S3.
• OLAP.
• Enhanced VPC routing; copy/unload via VPC.
• Copy snapshots to another region for DR.

CloudWatch

• Metrics belong to namespaces; up to 10 dimensions per metric.
• EC2 instance recovery: public IPv4 retained, in-memory data lost.
• CloudWatch Events can run ECS tasks on AWS events.

EventBridge

• Recommended for event-based apps integrating SaaS/AWS services.

Encryption/Secrets

• Key Policies: Control access to keys.
• Automatic Key Rotation: CMK every year.
• SSE-KMS: Server-side encryption with KMS, audit trail.
• CMK Deletion: Waiting period (7–30 days).
• SSE-C: Customer-provided keys, S3 manages encryption.
• SSE-S3: S3-managed keys, AES-256.
• Client-side encryption: For proprietary algorithms.

Secrets Manager

• RDS integration.
• Force secret rotation every X days.

SSM Parameter Store

• Assign TTL to parameters for forced update/delete.

CloudHSM

• Dedicated hardware, manage own keys.
• Good with SSE-C.
• Possible key loss if not using two or more HSMs.

Kinesis

• Data Streams: Default retention 1 day, up to 7.

• 1MB/sec/shard ingest, 2MB/sec/shard output.

• Enhanced fan-out for parallel consumers.

• Multiple apps can consume same stream.

• Records can be consumed in order.

• Routing related records to same processor.

• Firehose: Auto-scales, no shard provisioning.

• Kinesis Agent cannot write to Firehose with Data Streams source.

• Data destinations: S3, Redshift, Elasticsearch, HTTP endpoints, Datadog, New Relic, MongoDB, Splunk.

SQS

• Messaging semantics (ack/fail), visibility timeout (default 30s).
• FIFO queues: up to 3,000 messages/sec with batching, 80-char name limit.
• Message retention: 4 days default, 14 days max.
• Limit: 256kb per message.
• Use Group ID for scaling consumers.
• Delay queues: 0–15 min delay.
• Message timers: initial invisibility period.
• Temporary queues: multiplex low-traffic queues onto one SQS queue.
• Unlimited messages per queue; inflight quota: 120,000 (standard), 20,000 (FIFO).
• Standard queues: at least once delivery; FIFO: exactly-once.
• Up to 10 metadata attributes per message.
• Short polling (default), long polling if ReceiveMessageWaitTimeSeconds > 0.

SNS

• Event producers send to one topic; many subscribers.
• 100,000 topics limit.
• Message filtering via filter policy.
• SNS FIFO for strict ordering and deduplication.

Load Balancers

• LBs can scale, not instantaneously.
• Connection Drain: Waits 300s (1–3600s) before deregistration completes.
• Cross-Zone LB: Distributes traffic across all AZs.
• Application LB: Host/path/header/method/query/IP-based routing, Cognito authentication, SNI support, weighted target groups.
• Network LB: Routes via private IP, no security groups, TLS offload.
• Classic LB: No SNI support.

Lambda

• 1,000 concurrent executions per account/region.
• Supported languages: C#/.NET, Go, Node.js, Python, Java, Ruby.
• Lambda@Edge: Deploy to each region with CloudFront.
• Memory: 128MB–10,240MB.
• VPC access requires sufficient ENI/subnet IPs.

Step Functions

• Serverless workflow orchestration.

CloudFront

• More cost-effective than S3 direct delivery.
• Improves performance for static content.
• Dynamic content goes direct to origin.
• Cognito integration via Lambda@Edge.
• Multiple origins based on content type.
• Field-level encryption at edge.
• Signed cookies/URLs for restricted access.
• Cache-Control/Expires headers control cache duration.

Global Accelerator

• Directs traffic to optimal endpoints over AWS global network.
• Two static anycast IPs as entry points.
• Good for non-HTTP use cases (UDP, MQTT, VoIP).
• Endpoint weights for traffic proportion.

WAF

• Block/allow requests by conditions (IP, Geo).
• Geo match for country-based access.
• Protects against SQL injection/XSS.
• Rate-based rules for DDoS.

Firewall Manager

• Centrally manage firewall rules across accounts/resources.
• Does not support Network ACLs.

AWS Shield

• DDoS protection (SYN/UDP floods, reflection, layer 3/4).

EMR

• Big data platform for Spark, Hive, HBase, Flink, Hudi, Presto, Hadoop.

Beanstalk

• Easy deployment/scaling for Java, .NET, PHP, Node.js, Python, Ruby, Go, Docker.
• Handles provisioning, LB, auto-scaling, health monitoring.
• App files in S3; logs in S3 or CloudWatch.

CloudFormation

• StackSet for multi-account/region stack operations.
• CreationPolicy attribute for resource config wait.

Cognito

• User Pools: Built-in user management.
• Identity Pools: Temporary AWS credentials for users.

AWS Database Migration Service

• Migrate data from supported sources to AWS DBs, warehouses, streaming platforms.

Storage Gateway

• File Gateway: SMB/NFS access to S3 with local caching.
• Volume Gateway: iSCSI block storage for on-prem apps.
• Tape Gateway: Archive to Glacier/Deep Archive.

DataSync

• Move large data from on-prem to AWS, direct to Glacier/Deep Archive.

AppSync

• Store/sync data across mobile/web apps in real-time.

CloudTrail

• Event log files encrypted with S3 SSE by default.

X-Ray

• Analyze/debug distributed apps, end-to-end request view, component map.
• Agent can assume role to publish data to different account.

GuardDuty

• Threat detection for AWS accounts, workloads, S3.
• Analyzes CloudTrail, VPC Flow Logs, DNS Logs.
• Disabling deletes remaining data.

Macie

• Discover/protect sensitive S3 data.

Inspector

• Check for unintended network accessibility/vulnerabilities on EC2.

Recognition

• Automate image/video analysis with ML.

VPC Endpoints

• Attach endpoint policy to control access to service.

Gateway Endpoints

• Target for route table for S3/DynamoDB traffic.

Interface Endpoints

• ENI with private IP as entry point for supported service.

Enhanced Networking

• ENA: Up to 100Gbps, supports Windows.
• EFA: Accelerate HPC/ML apps, ENA with added capabilities, not for Windows.

API Gateway

• REST APIs: Stateful client-server.
• WebSocket APIs: Stateless full-duplex.
• All APIs expose HTTPS endpoints only.

SWF

• Use for external signals, child process return values, decoupled architectures.
• Guarantees task assignment (never duplicated, assigned once).

AWS Backup

• Centralized backup service, backup plan defines schedule/policy.

AWS Batch

• Multi-node parallel jobs.

AWS ParallelCluster

• Cluster management for HPC, automates VPC/subnet/cluster creation.

AD Connector

• Allow on-prem users to log in to AWS apps/services with AD credentials.

AWS Managed Microsoft AD

• Trust relationship between AWS Managed AD and on-prem AD, SSO access.

Data Transfer

• No charge for inbound data transfer.
• Outbound charged per service/region.
• Cross-region transfer is charged.
• Within same AZ is free.
• VPC peering within AZ is free; cross-AZ/region is charged.
• Data processing charges for VPC, Direct Connect, VPN to Transit Gateway.
• Direct Connect & VPN also charged for outbound.

Important Ports

• FTP: 21
• SSH/SFTP: 22
• HTTP: 80
• HTTPS: 443
• RDP: 3389
• PostgreSQL: 5432
• MySQL/MariaDB: 3306
• Oracle RDS: 1521
• MSSQL Server: 1433
• Aurora: 5432 (PostgreSQL) or 3306 (MySQL)

Disaster Recovery in AWS

• RPO: Recovery Point Objective — how much data loss is acceptable.
• RTO: Recovery Time Objective — downtime between disaster and recovery.