🏗️AWS Solutions Architect Associate Flash Cards

Lambda: Event-driven, less than 15 minutes execution, automatic scaling, pay per invocation. Use for APIs and data processing. Fargate: Containerized apps, long-running tasks, no server management, pay for vCPU/memory. Use for microservices and batch jobs. EC2: Full OS control, custom software, persistent storage, predictable performance. Use for legacy apps and databases.

ECS (Elastic Container Service) is AWS native, simpler to use, uses task definitions, integrated with AWS services, no additional charge. EKS (Elastic Kubernetes Service) is Kubernetes standard, portable workloads, more complex, better for multi-cloud, costs $0.10/hour per cluster. Both support Fargate and EC2 launch types with auto scaling.

Cluster Placement: Same rack, same AZ, 10 Gbps network, lowest latency, higher failure risk. Use for HPC and big data. Spread Placement: Different hardware, max 7 instances/AZ, individual failure isolation. Use for critical applications. Partition Placement: Logical partitions, up to 7 partitions/AZ, 100s of instances. Use for Hadoop, Cassandra, Kafka.

Instance Store: Physically attached disks, ephemeral storage, very high IOPS (millions), lost on stop/terminate, no snapshots, free with instance. EBS: Network attached, persistent storage, up to 256,000 IOPS (io2), survives stop/terminate, snapshot support, additional cost. Use Instance Store for temporary data, cache/buffers, and replicated data.

Aurora advantages: 5x MySQL, 3x PostgreSQL performance, storage auto-scales (10GB-128TB), 6 copies across 3 AZs, self-healing storage, 15 read replicas vs 5, instant failover (under 30 seconds). Aurora Serverless offers auto start/stop, auto-scaling, per-second billing. RDS is better for Oracle, SQL Server, specific versions needed, and lower cost for small workloads.

DynamoDB is a NoSQL key-value/document database with single-digit millisecond latency, serverless, Multi-AZ by default. Capacity modes include Provisioned (predictable, auto-scaling) and On-Demand (unpredictable, 2.5x more expensive). Features include Global Tables, DynamoDB Streams, DAX (microsecond cache), point-in-time recovery, and encryption at rest. Limits: 400 KB item size.

Frequently Accessed: S3 Standard (general purpose), S3 Express One Zone (single-digit ms). Infrequent Access: S3 Standard-IA (≥30 days, rapid access), S3 One Zone-IA (non-critical data), S3 Intelligent-Tiering (auto-tiering). Archive: Glacier Instant (millisecond retrieval), Glacier Flexible (1-12 hours retrieval), Glacier Deep Archive (12-48 hours).

Redis: Complex data types, persistence to disk, Pub/Sub messaging, Multi-AZ with failover, backup and restore, sorted sets, geospatial, single-threaded. Memcached: Simple key-value, no persistence, no pub/sub, no backup, multi-threaded, sharding. Use Redis for leaderboards, session store, pub/sub. Use Memcached for simple cache, multi-core.

VPC Components include Subnets (Public with route to IGW, Private with no direct internet, span single AZ), Route Tables (direct traffic, local routes automatic), Internet Gateway (VPC internet access, horizontally scaled), NAT Gateway/Instance (outbound for private subnets, NAT Gateway managed at 45 Gbps). CIDR ranges from /16 to /28 (16-65,536 IPs).

Simple: Single resource. Weighted: Traffic distribution percentage. Latency: Lowest latency region. Failover: Active-passive with health checks. Geolocation: Based on user location. Geoproximity: Geographic plus bias. Multi-value: Multiple IPs with health checks. Health Checks support HTTP/HTTPS/TCP, endpoint monitoring, CloudWatch alarms, calculated checks.

Global Accelerator: Layer 4 (TCP/UDP), fixed anycast IPs, no caching, proxying to origin, for gaming, IoT, Voice. CloudFront: Layer 7 (HTTP/HTTPS), dynamic DNS, content caching, serve from edge, for web content and APIs. Both use AWS global network, DDoS protection, and edge locations. Choose GA for non-HTTP, static IPs, TCP/UDP.

Gateway Endpoints: S3 and DynamoDB only, free, route table entry, regional, no security groups. Interface Endpoints: Most AWS services, ENI with private IP, $0.01/hour/AZ, security groups apply, DNS changes, cross-region possible. Both support endpoint policies. Best Practice: Use Gateway for S3/DynamoDB (free).

Backup & Restore: RTO/RPO hours, lowest cost, data backed up to S3. Pilot Light: RTO/RPO 10s of minutes, core services running minimal. Warm Standby: RTO/RPO minutes, scaled-down version running. Multi-Site Active-Active: RTO/RPO real-time, highest cost, full production in multiple regions.

Components include Launch Template/Configuration (AMI ID, instance type, security groups, user data), Auto Scaling Group (Min/Max/Desired capacity, health checks EC2/ELB, Availability Zones, cooldown periods), and Scaling Policies (target tracking for CPU/requests, step scaling, simple scaling, scheduled scaling). Best practice: Use multiple metrics and warm-up periods.

Multi-AZ: Purpose is high availability, synchronous replication, same region only, automatic failover (1-2 min), same DNS endpoint, no read scaling. Read Replicas: Purpose is read scaling, asynchronous replication, cross-region possible, manual promotion, different DNS endpoint, limit of 5 replicas (15 for Aurora). Can combine both for HA plus performance.

AWS Responsibility (Security OF the Cloud): Physical security of data centers, hardware and infrastructure, network infrastructure, hypervisor, managed service configuration. Customer Responsibility (Security IN the Cloud): Data encryption, IAM users and credentials, operating system patches (EC2), network and firewall configuration, application security, customer data.

Policy Evaluation Order: 1. Explicit Deny always wins, 2. Organizations SCPs (Service Control Policies), 3. Resource-based policies (S3 bucket policies), 4. Identity-based policies (User/Group/Role policies), 5. IAM permissions boundaries (maximum permissions), 6. Session policies (temporary credentials). Default is implicit deny if no explicit allow.

Security Groups: Instance level (ENI), stateful, allow only rules, all rules evaluated, default deny all inbound and allow all outbound. Network ACLs: Subnet level, stateless, allow and deny rules, rules processed in number order, default allow all traffic. Best Practice: Use both for defense in depth.

AWS Organizations provides central account management, consolidated billing, and hierarchical structure. Service Control Policies (SCPs) set maximum permissions boundary, use deny list approach, have no effect on root user, and are inherited down tree. Use cases include enforcing tagging, restricting regions, preventing resource deletion, and compliance requirements.

On-Demand: Pay per second/hour, no commitment, use for short-term unpredictable workloads. Reserved Instances: 1 or 3 year commitment, up to 72% discount, use for steady-state workloads. Savings Plans: Flexible pricing model, up to 72% discount. Spot Instances: Up to 90% discount, can be interrupted, use for batch and fault-tolerant workloads. Dedicated: Physical server for compliance requirements.

Free transfers: Inbound from internet, same AZ, S3 to CloudFront. Charged transfers: Outbound to internet, Cross-AZ ($0.01/GB), Cross-region ($0.02/GB+). Optimization strategies: Keep traffic in same AZ, use VPC endpoints for AWS services, CloudFront for static content, compress data, Direct Connect for large transfers.

Savings Plans: Flexible discount model, dollar/hour commitment, 1 or 3 years. Types include Compute (any instance, region, OS with 66% off), EC2 (specific region with 72% off), and SageMaker (ML workloads). Reserved Instances: Instance commitment, more restrictions, convertible option, marketplace resale. Choose Savings Plans for flexibility and containerized workloads.

SQS (Simple Queue Service): Queue model (pull), one consumer per message, message retention up to 14 days, at-least-once delivery, FIFO option available. SNS (Simple Notification Service): Pub/Sub model (push), multiple subscribers, no message retention, fan-out pattern, multiple protocols. Common pattern: SNS to SQS fan-out for decoupling plus parallel processing.

Step Functions provides visual workflow orchestration with state machines, serverless. State types include Task (do work with Lambda, ECS), Choice (branching logic), Wait (delay), Parallel (concurrent execution), Map (iterator), Pass (pass data), Succeed/Fail (end states). Workflows: Standard (1 year max, exactly-once) vs Express (5 min max, at-least-once).

EventBridge is a serverless event bus (formerly CloudWatch Events). Event sources include AWS services, custom applications, and SaaS (Zendesk, DataDog). Features include event patterns (filtering), schedule expressions (cron), schema registry, archive and replay, and multiple targets (20). Targets include Lambda, Step Functions, SNS, SQS, Kinesis, EC2, and ECS tasks.

API Types: REST (traditional, full features), HTTP (lower cost, simpler), WebSocket (real-time, bidirectional). Features include request/response transformation, authentication (IAM, Cognito, Lambda), rate limiting and throttling, caching responses, CORS support, SDK generation. Integration with Lambda (serverless), HTTP endpoints, and AWS services directly.

7 R's: Retire (decommission), Retain (keep as-is), Rehost (lift and shift to EC2), Relocate (VMware Cloud), Repurchase (move to SaaS), Replatform (lift, tinker, shift), Refactor (re-architect). Complexity increases from Retire to Refactor, while cloud benefits increase from Rehost to Refactor.

Online Transfer: DataSync (one-time or regular, NFS/SMB), Transfer Family (SFTP/FTPS/FTP to S3/EFS), Direct Connect (dedicated network), VPN (encrypted over internet). Offline Transfer: Snowcone (8-14 TB), Snowball (80 TB), Snowmobile (100 PB). Database Migration: DMS (heterogeneous/homogeneous), SCT (schema conversion).

DMS provides continuous replication with minimal downtime while source database stays online. Migration types include homogeneous (same engine like MySQL to MySQL) and heterogeneous (different engines like Oracle to Aurora). Schema Conversion Tool is required for heterogeneous migrations. Supports CDC (Change Data Capture) for ongoing replication.

CloudWatch Metrics: Default and custom metrics, 5-minute default (1-min detailed), retention 15 months. CloudWatch Logs: Centralized logging, log groups and streams, metric filters, Insights for analysis. CloudWatch Alarms: Threshold or anomaly, actions include SNS, Auto Scaling, EC2. CloudWatch Events/EventBridge: Event-driven automation, schedule or event patterns.

X-Ray provides distributed tracing, performance analysis, and debug for microservices. Concepts include Traces (end-to-end path), Segments (service work), Subsegments (remote calls), and Annotations (indexed metadata). Features include service map, trace analysis, performance insights, error rates. Integration with Lambda, ECS, EC2, API Gateway, and SDK instrumentation.

Systems Manager is a central management service for hybrid (AWS plus on-premises). Key features include Session Manager (shell access without SSH), Parameter Store (config and secrets), Patch Manager (OS patching), Run Command (execute scripts), State Manager (maintain config), and Inventory (collect metadata). Benefits include no infrastructure, IAM integration, CloudTrail logging.

Infrastructure as Code using JSON/YAML templates with version control and repeatable deployments. Components include Resources (AWS services, required), Parameters (dynamic inputs), Mappings (lookup tables), Outputs (return values), and Conditions (resource creation logic). Features include stack sets (multi-account/region), drift detection, change sets, rollback on failure, and nested stacks.

Data Ingestion: Kinesis Data Streams (real-time), Kinesis Firehose (load to destinations), MSK (Managed Kafka). Processing: Glue (ETL, data catalog), EMR (big data frameworks), Lambda (event processing). Storage: S3 (data lake), Redshift (data warehouse). Analysis: Athena (SQL on S3), QuickSight (visualization).

Amazon Athena is serverless SQL on S3, Presto-based, pay per query ($5/TB scanned). Supported formats include Parquet (columnar, compressed), ORC, JSON, CSV, and Avro. Performance tips: Use columnar formats, partition data, compress files, use projection. Integration with Glue Data Catalog, QuickSight, and Federated Query.

Redshift is a columnar data warehouse for OLAP (analytics) with massive parallel processing and SQL compatibility. Node types include Leader (query planning) and Compute (query execution). Features include Redshift Spectrum (query S3), snapshots to S3, cross-region replication, Concurrency Scaling, and Federated Query (RDS/Aurora).

Pre-trained AI: Rekognition (image/video analysis), Comprehend (NLP, sentiment), Textract (document text extraction), Transcribe (speech to text), Polly (text to speech), Translate (language translation), Lex (chatbots). ML Platform: SageMaker (build, train, deploy), Forecast (time-series prediction), Personalize (recommendations).

SageMaker is an end-to-end ML platform to build, train, and deploy models. Components include Studio (IDE for ML), Notebooks (Jupyter), Training (distributed, managed), Endpoints (model hosting), and Pipelines (MLOps). Features include built-in algorithms, automatic model tuning, model registry, A/B testing, and multi-model endpoints.

SSD-Based: gp3 (3,000-16,000 IOPS, 125-1,000 MB/s, most workloads), io2/io2 Block Express (up to 256,000 IOPS, mission-critical apps, sub-millisecond latency). HDD-Based: st1 (500 MB/s throughput, big data, data warehouses), sc1 (250 MB/s throughput, infrequent access). Note: Only SSD can be boot volumes.

CloudFront (CDN): Static/dynamic content, global edge locations, origin can be S3, ALB, EC2, or custom. ElastiCache: Redis (complex data types, persistence, pub/sub) or Memcached (simple, multi-threaded, no persistence). Caching Patterns: Lazy Loading (load on cache miss), Write Through (update cache on write), TTL (expire stale data). DAX for DynamoDB provides microsecond latency.

CloudFront CDN has 400+ edge locations, caches static/dynamic content, provides DDoS protection (Shield), and SSL/TLS termination. Origins include S3 bucket, ALB/NLB, EC2 instance, and custom HTTP server. Features include signed URLs/cookies, Origin Access Control, Lambda@Edge, field-level encryption, and geo-restriction.

Six Pillars: 1. Operational Excellence (operations as code, frequent small changes, learn from failure), 2. Security (defense in depth, least privilege, encrypt data), 3. Reliability (test recovery, scale horizontally, manage change), 4. Performance (go global, use serverless, experiment), 5. Cost Optimization (right sizing, measure efficiency), 6. Sustainability (minimize impact).

Design Principles: Single responsibility, loosely coupled, independently deployable, organized around business, decentralized governance. Benefits: Technology diversity, fault isolation, independent scaling, faster deployment, team autonomy. Challenges: Distributed complexity, network latency, data consistency, service discovery. AWS Tools: API Gateway, ECS/EKS, Lambda.

Common Patterns: Circuit Breaker (prevent cascading failures, fail fast mechanism), Bulkhead (isolate resources, prevent total failure), Retry with Backoff (exponential backoff, jitter for randomization), Queue-Based Load Leveling (SQS for buffering, smooth traffic spikes), Throttling (API Gateway limits, Lambda concurrency), Health Endpoint (ELB health checks, Route 53 health checks).

AWS Config provides resource inventory, configuration history, change notifications, and compliance auditing. Components include configuration items, configuration recorder, delivery channel (S3), and config rules. Rule types include AWS managed (190+) and custom (Lambda). Remediation uses SSM Automation documents, can be manual or automatic.

Control Tower provides multi-account setup automation with best practices by default and account factory. Components include Landing Zone (well-architected environment), Guardrails (Preventive SCP + Detective Config), Account Factory (standardized provisioning), and Dashboard (compliance overview). Default OUs include Root, Security (Log Archive, Audit), Sandbox, and Production.

AWS Artifact is a compliance reports portal that is self-service with no cost. Documents available include SOC reports, PCI DSS, ISO certifications, HIPAA, and FedRAMP. Agreements include Business Associate Agreement (BAA), GDPR DPA, and can be accepted on behalf of organization. Use for audit preparation, compliance validation, and due diligence.

Trusted Advisor checks five categories: Cost Optimization, Performance, Security, Fault Tolerance, and Service Limits. Free checks (7) include S3 bucket permissions, security groups, IAM use, MFA on root, and service limits. Business/Enterprise provides all checks (100+), CloudWatch integration, API access, and weekly notifications.