The architect frame
You are designing for a customer, not a sysadmin. Always ask: cost, resilience, performance, security - pick the right tradeoff for the scenario.
Well-architected pillars
Operational excellence ยท Security ยท Reliability ยท Performance efficiency ยท Cost optimization ยท Sustainability
Keyword radar
Scan for: "highly available", "cost-effective", "least privilege", "serverless", "decoupled", "durable", "global". Each keyword eliminates wrong answers.
Eliminate first
Two answers are almost always obviously wrong. Cross them out, then debate the remaining two on the scenario's key constraint.
Default to managed
AWS wants you to use managed services. If you can replace EC2 + custom code with Lambda + SQS + RDS - do it.
Decouple everything
Tight coupling = fragile. SQS, SNS, EventBridge, and Step Functions exist to break direct dependencies between services.
Least privilege
Every security question defaults to: use IAM roles (not users), tightest possible policy, and never store credentials in code.
Cost signals
Spot = fault-tolerant batch. Reserved = steady-state. Savings Plans = flexible. On-demand = short/unpredictable. Keep traffic in-region.
EC2 & Autoscaling
EC2
Instance types
T = burstable (dev). C = compute. M = general. R = memory. G/P = GPU. I = NVMe storage. X = in-memory (SAP).
EC2
Placement groups
Cluster = low latency, same AZ. Spread = max 7/AZ, fault isolation. Partition = Hadoop/Kafka large-scale.
EC2
ASG key concepts
Scale-in protection, lifecycle hooks, warm pools, cooldown vs instance warmup. Target tracking = simplest policy.
Lambda
Lambda limits
15 min max, 10 GB RAM, 512 MBโ10 GB /tmp. Provisioned concurrency = warm. Use for event-driven, stateless.
Lambda
Lambda + VPC
Adds ENI creation time. Use if you need RDS/ElastiCache access. Needs subnets + security group.
Containers
ECS vs EKS
ECS = simpler AWS-native. EKS = Kubernetes. Fargate = serverless container compute for both. ECR = registry.
Load balancers
ALB
Application LB
Layer 7 HTTP/HTTPS. Path/host-based routing. WebSockets. Best for microservices & containers.
NLB
Network LB
Layer 4. Ultra-low latency. Static IP / Elastic IP. Use for TCP/UDP, gaming, real-time apps.
GLB
Gateway LB
Layer 3. Deploy 3rd-party appliances (firewalls, IDS/IPS). Uses GENEVE protocol. New on exam.
S3
S3
Storage classes
Standard โ IA โ One-Zone-IA โ Glacier Instant โ Glacier Flexible โ Glacier Deep Archive. Intelligent-Tiering for unpredictable access.
S3
Security
Block Public Access ON by default. Prefer bucket policies over ACLs. SSE-S3, SSE-KMS, SSE-C. Presigned URLs for time-limited access.
S3
Performance
3,500 PUT / 5,500 GET per prefix/sec. Multipart upload for files >100 MB. Transfer Acceleration via CloudFront edge. S3 Select = filter in-place.
S3
Replication
CRR (cross-region) = compliance & latency. SRR (same-region) = log aggregation. Versioning must be on for both buckets.
Block & file storage
EBS
Volume types
gp3 = default SSD (3000 IOPS). io2 Block Express = up to 256k IOPS. st1 = throughput HDD. sc1 = cold HDD. Multi-attach: io1/io2 only.
EFS
Elastic File System
NFS, multi-AZ, Linux only. Standard vs IA tiers. Max I/O mode for big data. Bursting vs Provisioned throughput.
FSx
FSx flavors
FSx Windows = SMB, AD. FSx Lustre = HPC/ML, S3 integration. FSx NetApp ONTAP = multi-protocol, multi-OS.
Storage GW
Storage Gateway
File GW (S3 via NFS/SMB). Volume GW (iSCSI โ EBS snapshots). Tape GW (virtual tape โ Glacier). Hybrid cloud bridge.
VPC
VPC fundamentals
Public subnet = IGW route. Private subnet = NAT GW. CIDR can't overlap for peering. Default VPC is /16.
VPC
SG vs NACLs
SG = stateful, instance-level, allow only. NACL = stateless, subnet-level, allow + deny. NACLs need inbound + outbound rules.
Transit GW
Transit Gateway
Hub-and-spoke for many VPCs. Replaces full-mesh peering. Supports VPN and Direct Connect attachments. Cross-region via peering.
PrivateLink
VPC PrivateLink
Expose services privately without peering. No overlapping CIDR problem. Interface endpoint (ENI in your subnet).
Route 53
Routing policies
Simple ยท Weighted ยท Latency ยท Failover ยท Geolocation ยท Geoproximity ยท Multi-value. Failover needs health checks. Alias records = free + auto-update.
CloudFront
CloudFront CDN
400+ PoPs globally. OAC to lock S3 origins. Lambda@Edge & CF Functions for edge logic. HTTPS enforced.
Connectivity
VPN vs Direct Connect
VPN = encrypted, over internet, minutes to set up. DX = dedicated fiber, consistent 1โ100 Gbps, weeks to provision.
Connectivity
VPC Endpoints
Gateway endpoint = S3 & DynamoDB (free, route table). Interface endpoint = most other services (costs, ENI + DNS).
RDS
RDS key concepts
Multi-AZ = synchronous standby for HA (auto-failover). Read replica = async, for read scale. Automated backups & snapshots.
Aurora
Aurora
5ร MySQL / 3ร Postgres performance. 6-way replication across 3 AZs. Serverless v2 = auto-scale. Global DB = cross-region <1s RPO.
DynamoDB
DynamoDB
Single-digit ms at any scale. On-demand vs provisioned capacity. DAX = in-memory cache. Streams + Global Tables = multi-region active-active.
ElastiCache
ElastiCache
Redis (cluster, persistence, pub/sub, sorted sets) vs Memcached (simple, multi-thread). Redis = almost always the answer.
Redshift
Redshift
Data warehouse, columnar, petabyte-scale. Spectrum = query S3 directly. RA3 nodes = managed storage. Not for OLTP.
Specialty
Specialty databases
Neptune = graph. Keyspaces = Cassandra. Timestream = time-series. QLDB = immutable ledger. DocumentDB = MongoDB-compatible.
Key pick: transactional/relational โ RDS/Aurora ยท Key-value/massive scale โ DynamoDB ยท Caching โ ElastiCache (Redis) ยท Analytics โ Redshift ยท Migrate MongoDB โ DocumentDB
IAM
IAM fundamentals
Users โ Groups โ Policies. Roles for services & cross-account. Policy eval: explicit deny > explicit allow > implicit deny.
IAM
SCP vs permissions
SCPs (AWS Orgs) = max permissions boundary for an account. They restrict - they don't grant permissions.
KMS
KMS
CMK = customer managed key (audit trail, optional rotation). AWS managed key = service default. CloudHSM = dedicated HSM, FIPS 140-2 Level 3.
Secrets
Secrets Manager vs SSM
Secrets Manager = auto-rotation, higher cost. SSM Parameter Store = cheaper, no auto-rotation. Secrets Manager wins for DB credentials.
Threat detection
GuardDuty / Inspector / Macie
GuardDuty = threat intel on DNS/flow logs. Inspector = vulnerability scanning EC2/containers. Macie = sensitive data (PII) in S3.
Edge security
WAF / Shield / FMS
WAF = L7 rules (SQLi, XSS) on ALB/CloudFront/API GW. Shield Standard = free DDoS. Shield Advanced = 24/7 team + cost protection.
Compliance
Config / CloudTrail
CloudTrail = who did what (API calls). Config = resource compliance rules & drift detection. Audit Manager = evidence for audits.
Network security
Network Firewall
Stateful & stateless rules at VPC perimeter. Works with Gateway LB for 3rd-party NVAs. Place in inspection VPC with Transit GW.
Q: High availability for RDS?
โ Multi-AZ, not read replica. Read replicas don't auto-failover - they're for read performance only.
Q: S3 not publicly accessible but presigned URL needed?
โ Presigned URLs work with Block Public Access ON. They use the issuer's credentials, not public access settings.
Q: Lambda needs to access RDS privately?
โ Put Lambda in a VPC with RDS. Use RDS Proxy to handle connection pooling and avoid exhaustion.
Q: Cross-account S3 access?
โ Bucket policy + IAM role in the target account. Or S3 Access Points for large-scale multi-account access patterns.
Q: Failover routing in Route 53 not switching?
โ Needs a health check attached. Without it, failover policy won't switch traffic to the secondary.
Q: Decouple microservices?
โ SQS for async point-to-point. SNS for fan-out pub/sub. EventBridge for rule-based event routing.
Q: NACLs blocking traffic even though SG allows it?
โ NACLs are stateless. You must allow both inbound and outbound, including ephemeral ports 1024โ65535.
Q: Cheapest storage for infrequently accessed data?
โ S3 Glacier Deep Archive (~$1/TB/mo). One-Zone-IA is cheaper than Standard-IA but loses AZ fault tolerance.
Q: EC2 needs to call AWS APIs without storing keys?
โ IAM Role attached to instance (instance profile). Never store access keys on EC2 or in code.
Q: High IOPS database for OLTP?
โ io2 EBS (or Aurora). gp3 maxes at 16k IOPS. io2 goes to 64k+ (256k with Block Express).
Q: Geolocation vs Latency routing?
โ Geolocation = route by user's country/continent. Latency = route to lowest-latency region. They are not the same.
Q: Disaster recovery - cheapest option?
โ Backup & restore (RPO hours, RTO hours). Then: Pilot light โ Warm standby โ Multi-site active-active = increasing cost & speed.
Read every question twice. Identify the ONE key constraint (cost? HA? latency? compliance?) - it's the decision pivot.
Eliminate obviously wrong answers first. Usually 2 of 4 can go in 10 seconds - debate the remaining two.
"Most cost-effective" usually means serverless, Spot instances, or the lowest storage tier that still meets the SLA.
"Least operational overhead" = managed service over self-managed (RDS over DIY MySQL, SQS over RabbitMQ).
If the scenario has "millions of users" or "unpredictable traffic" โ DynamoDB + Lambda + API Gateway is often right.
Hybrid/on-prem scenarios: Storage Gateway for files, Direct Connect for dedicated bandwidth, VPN for quick encrypted setup.
Multi-AZ = availability (failover). Multi-region = disaster recovery + global latency. Don't confuse the two.
Flag hard questions and move on. 65 questions, 130 minutes = 2 min/question. Don't sink 10 minutes on one.
Passing score is 720/1000 (~72%). You don't need perfection - focus on eliminating wrong answers confidently.
Trust your gut on the first pass. Statistically, changing answers from initial instinct reduces score more often than it helps.