CLF-C02 Cheat Sheet
Cloud Concepts
Benefits of the AWS Cloud
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Know AWS's six advantages of cloud computing
AWS's canonical list names six benefits: trade fixed (CapEx) expense for variable expense, benefit from massive economies of scale, stop guessing capacity, increase speed and agility, stop spending money running and maintaining data centers, and go global in minutes. CLF Domain 1.1 tests these in business wording, so map a scenario's pain point to the matching advantage rather than memorizing the order.
- Trade fixed (capital) expense for variable expense
Cloud replaces heavy up-front data-center and server purchases with pay-as-you-go consumption: you pay only when you consume resources and only for how much you consume. This is the advantage to pick when a stem describes avoiding hardware investment before demand is known, or shifting CapEx to OpEx.
Trap Choosing economies of scale when the stem is about avoiding up-front hardware spend. That benefit is about lower per-unit price from aggregated demand, whereas shifting CapEx to OpEx is the variable-expense advantage.
5 questions test this
- A company is migrating from on-premises infrastructure to AWS and wants to understand the elasticity benefits of Amazon EC2 Auto Scaling.…
- A company has unpredictable, seasonal demand for its web application and wants to avoid paying for compute capacity that sits idle during…
- A startup company is launching a new application and is uncertain about the required compute capacity. The company needs the flexibility to…
- A company currently pays large one-time upfront fees to permanently own its software licenses and wants to move to a model with no large…
- A company is closing its on-premises data center, where it made large upfront hardware purchases regardless of how much capacity it…
- Economies of scale lower pay-as-you-go prices
Because AWS aggregates usage from hundreds of thousands of customers, it reaches a lower variable cost than any single organization could on its own and passes the saving on as lower pay-as-you-go prices. This is why cloud unit costs can beat self-run infrastructure, and it is the benefit a stem about lower per-unit cost from scale is pointing to.
Trap Picking the variable-expense advantage when the stem stresses a lower per-unit price driven by AWS's aggregated demand. That lower unit cost is economies of scale, not merely the CapEx-to-OpEx shift.
- Stop guessing capacity by scaling on demand
Provisioning physical capacity ahead of demand leaves you either sitting on expensive idle resources or hitting shortfalls when traffic exceeds the guess. Cloud removes the guess: you access as much or as little capacity as you need and scale up or down with only a few minutes' notice.
3 questions test this
- An application has unpredictable demand, and the company wants to avoid both over-provisioning and running short of compute capacity by…
- A company wants to take advantage of cloud elasticity by automatically adjusting compute capacity based on demand while reducing the need…
- A startup company is launching a new application and is uncertain about the required compute capacity. The company needs the flexibility to…
- Elasticity adds automatic shrink-back to scalability
Scalability is the ability to grow capacity to meet rising load; elasticity adds the ability to shrink capacity back down automatically as demand falls, so supply tracks demand in both directions and you pay only for what you use. A stem about spiky or seasonal traffic that must avoid both over-provisioning and outages is testing elasticity, not mere scalability.
Trap Treating scalability and elasticity as the same thing. Scaling up alone leaves idle, paid-for capacity when the spike passes; elasticity is what releases it.
9 questions test this
- A company is migrating from on-premises infrastructure to AWS and wants to understand the elasticity benefits of Amazon EC2 Auto Scaling.…
- An application has unpredictable demand, and the company wants to avoid both over-provisioning and running short of compute capacity by…
- A company has unpredictable, seasonal demand for its web application and wants to avoid paying for compute capacity that sits idle during…
- A video streaming company cannot predict how many viewers will watch each live event, so it relies on AWS Auto Scaling to add capacity as…
- An online retailer's web application experiences large, unpredictable traffic spikes during flash sales and is quiet overnight. The company…
- A company runs an application on Amazon EC2 instances and wants the number of instances to increase automatically during busy periods and…
- A company wants to take advantage of cloud elasticity by automatically adjusting compute capacity based on demand while reducing the need…
- A retail company experiences significant traffic spikes during flash sales that occur at unpredictable times throughout the year. The…
- A retail company experiences significant traffic spikes during holiday sales events. The company wants to automatically adjust its Amazon…
- Agility means resources in minutes, not weeks
Agility is the speed-and-innovation benefit: new IT resources are a click away, cutting provisioning from weeks to minutes and dramatically lowering the cost and time of experimentation. A stem stressing faster time-to-market, rapid prototyping, or innovating quickly maps to agility, a time benefit, not a cost benefit.
Trap Mapping a 'faster time-to-market' or 'experiment quickly' stem to a cost-savings benefit when agility is a speed-and-innovation benefit, not a cost one.
4 questions test this
- A company migrating to AWS wants to understand which cloud benefit allows their development team to deploy applications in minutes without…
- A startup wants to turn new product ideas into running applications in days instead of months, experimenting frequently with a low cost of…
- A company was previously accustomed to waiting several weeks to procure and install physical servers before it could launch new projects.…
- A development team wants to provision new environments in minutes to experiment with ideas and release features faster, rather than waiting…
- Go global in minutes for lower latency
You can deploy an application across multiple Regions worldwide with just a few clicks, giving customers lower latency and a better experience at minimal cost. A stem about serving users in new countries or cutting latency for geographically distant users points to global reach.
Trap Reading 'deploy worldwide for lower latency' as high availability when it is global reach. Surviving a facility failure is the availability benefit delivered by multiple AZs, not by going global.
4 questions test this
- A company based in Brazil is expanding into Japan and wants to host its application on infrastructure that is physically located in Japan…
- An online multiplayer gaming company has players located across North America, Europe, and Asia. The company wants to host game servers…
- A software company based in one country wants to make its application available to customers in Asia, Europe, and South America within…
- A startup wants to make its application available to customers worldwide within days instead of spending months building physical data…
- A bigger single server is not high availability
A single instance is a single point of failure no matter how large, so vertically scaling to one bigger server does not deliver resilience. High availability comes from distributing the workload across multiple Availability Zones so the failure of one facility does not take the application down.
Trap Choosing one larger instance for resilience. A bigger box is still one box, and one AZ; HA needs redundancy across AZs.
- Cloud trades fixed cost for variable cost, not for free
The cost benefit is converting capital expense into pay-as-you-go variable expense, not eliminating spend. You still pay for what you consume. Scaling, automation, and reserved commitments reduce and smooth the bill, but they never make compute free.
Trap Picking an answer that says the cloud makes compute free or removes all spending. The benefit is variable cost, not zero cost.
3 questions test this
- A solutions architect is building a business case for migrating to AWS and needs to compare total cost of ownership (TCO) between…
- A solutions architect is helping a company understand the value proposition of migrating to AWS. When explaining the difference between…
- A startup wants to launch a new application without investing heavily in physical servers and data centers before it knows how customers…
- Stop maintaining data centers to focus on the business
Offloading the undifferentiated heavy lifting of racking, stacking, and powering servers lets teams focus on projects that differentiate the business instead of on infrastructure. A stem about reducing infrastructure maintenance effort, or freeing staff from data-center upkeep, maps to this benefit.
Trap Mapping a 'free staff from racking and powering servers' stem to the CapEx-to-OpEx cost benefit when it is the stop-maintaining-data-centers advantage about offloading operational heavy lifting.
- Global reach and high availability are different benefits
Serving users in many countries with low latency is global reach, achieved by deploying in more Regions or using CloudFront edge locations. Surviving a facility failure within one Region is high availability, achieved with multiple Availability Zones. The exam expects you to pick the right one per scenario rather than conflate them.
Trap Answering a 'survive a data-center failure' stem with more Regions (a reach/latency fix) instead of multiple AZs (the availability fix).
2 questions test this
- Auto Scaling self-heals by replacing unhealthy instances
Amazon EC2 Auto Scaling continuously monitors instance health and, when an in-service instance is found unhealthy, terminates and replaces it to keep the group at its desired capacity with no manual intervention. Configured across multiple Availability Zones, if one AZ becomes unavailable it launches instances in another to compensate, which is how a self-healing fleet delivers high availability.
Trap Assuming Auto Scaling only adds capacity for rising load. It also self-heals by terminating and replacing unhealthy instances to hold desired capacity, even when total load is flat.
4 questions test this
- A company configures AWS Auto Scaling to keep a defined minimum number of healthy Amazon EC2 instances running and to automatically replace…
- A company configures an Amazon EC2 Auto Scaling group across three Availability Zones. One Availability Zone experiences an outage. How…
- A company wants to ensure that its web application always has exactly 4 Amazon EC2 instances running, even if individual instances become…
- A company runs a critical application using Amazon EC2 instances in an Auto Scaling group. The operations team wants the infrastructure to…
- Match the Auto Scaling policy type to the traffic pattern
Dynamic scaling reacts to live CloudWatch metrics. AWS strongly recommends target tracking (hold a metric like average CPU at a target); step and simple scaling are the other two dynamic types. Predictive scaling analyzes historical load to forecast and add capacity ahead of recurring daily or weekly patterns, and scheduled scaling changes capacity at known dates and times. Choose reactive (dynamic) for unpredictable spikes and proactive (predictive or scheduled) for known recurring patterns.
Trap Reaching for scheduled scaling to handle unpredictable spikes. Scheduled fires at fixed times; only dynamic scaling reacts to live demand.
5 questions test this
- A media company has an application with recurring traffic patterns that spike every weekday morning. The company wants Amazon EC2 Auto…
- A retail company experiences predictable traffic increases every Friday evening and decreases on Monday morning. The company wants to…
- A company wants to configure dynamic scaling for an EC2 Auto Scaling group that scales on CPU utilization. AWS recommends a specific type…
- A company's web application experiences unpredictable traffic spikes throughout the day. The company wants to automatically add EC2…
- A retail company experiences significant traffic spikes during holiday sales events. The company wants to automatically adjust its Amazon…
- CloudFront edge locations cut latency for a global audience
Amazon CloudFront is a content delivery network that caches content at a worldwide network of edge locations (Points of Presence), routing each viewer request to the edge location with the lowest latency, typically the nearest. A globally dispersed audience gets fast delivery without you deploying origin infrastructure in multiple Regions, since only the cached copies live at the edge.
Trap Answering a 'cut latency for a global audience' stem by deploying origin infrastructure into more Regions when CloudFront edge caching delivers the same latency win without standing up origins everywhere.
8 questions test this
- A company's website has users distributed across multiple continents. The development team wants to understand how Amazon CloudFront…
- A media company needs to deliver streaming video content to viewers across multiple continents with minimal buffering. Which benefit of…
- A startup is evaluating whether to use Amazon CloudFront or serve static website content directly from an Amazon S3 bucket in a single AWS…
- A startup is launching a mobile application that will serve users in North America, Europe, and Australia. The company wants to ensure fast…
- A media company streams video to viewers around the world and wants to improve playback performance by delivering content from locations…
- A company hosts a website on an Amazon EC2 instance in the US East (N. Virginia) Region. Users in Asia Pacific report slow page load times.…
- A media streaming company delivers video and image content to viewers on several continents and wants to reduce playback latency by serving…
- A global media company hosts its video streaming service using servers in a single AWS Region. Users in Asia and South America report…
- S3 stores objects across three or more AZs for 11 nines durability
Amazon S3 Standard (and most other classes) automatically stores each object redundantly across a minimum of three Availability Zones in a Region, with no manual replication. This built-in redundancy delivers 99.999999999% (11 nines) durability and is designed to sustain the loss of an entire Availability Zone. The exception is S3 One Zone-IA, which keeps data in a single AZ and so cannot survive that AZ's loss.
Trap Assuming One Zone-IA matches Standard's resilience. One Zone-IA stores in a single AZ and loses data if that AZ is destroyed.
6 questions test this
- A retail company stores product catalog images in Amazon S3 and needs to ensure that data will not be lost even if an entire AWS data…
- A startup company is building a new application that will store customer profile images. The company wants the storage solution to provide…
- A company is presenting AWS cloud benefits to their board of directors. The team needs to explain how Amazon S3 achieves its high…
- A company stores critical financial reports in Amazon S3 using the S3 Standard storage class. The compliance team wants to understand how…
- A company stores critical business documents in Amazon S3 and needs to understand the data durability provided by the service. How does…
- A company stores mission-critical financial records that must be protected against hardware failures and remain accessible at all times.…
Cloud Design Principles
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Cloud Migration Strategies
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Cloud Economics
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Pay-as-you-go means no upfront commitment
The cloud consumption model charges only for the resources you actually use, with no minimum and no long-term commitment by default. AWS frames it as "pay only when you consume computing resources, and pay only for how much you consume." This trades a large fixed CapEx outlay for a variable expense that scales with demand.
Trap Treating a fixed monthly fee charged regardless of usage as pay-as-you-go. A flat recurring charge is the opposite of the consumption model.
4 questions test this
- A startup is building a new application and wants to benchmark workloads on Amazon EC2 before making any capacity commitments. The team…
- A startup company is launching a new application and is uncertain about the required compute capacity. The company needs the flexibility to…
- A startup company is deploying its first application on AWS with unpredictable traffic patterns. The development team cannot forecast the…
- A company is closing its on-premises data center, where it made large upfront hardware purchases regardless of how much capacity it…
- On-prem cost is more than hardware
On-premises total cost spans far more than the server purchase price: power, cooling, physical floor space, hardware refresh cycles, and the staff time spent racking, stacking, and maintaining servers. Moving to the cloud lets you "stop spending money running and maintaining data centers" and redirect that effort to the business.
Trap Costing on-premises only at the server purchase price and ignoring power, cooling, space, refresh cycles, and staff labor, which understates the true total cost of ownership the cloud displaces.
- Stop spending on undifferentiated heavy lifting
AWS absorbs the data-center heavy lifting (racking, stacking, and powering servers) and managed services remove the burden of patching operating systems and applications. This Cost Optimization design principle frees you to redirect spend and staff from infrastructure toward customer-facing, revenue-generating projects rather than IT plumbing.
Trap Assuming the racking, powering, and patching work simply shifts onto your own staff in the cloud, when AWS and its managed services absorb it so your people can move to revenue-generating work.
- BYOL reuses licenses you already own
Bring Your Own License (BYOL) lets you apply existing software licenses you already paid for (Windows Server, SQL Server, Oracle) to AWS resources instead of buying them again. You keep your own vendor support relationship and re-purpose your existing license inventory, avoiding a second purchase.
Trap Picking license-included pricing when you already own reusable Windows Server, SQL Server, or Oracle licenses, paying a second time for software you can bring with you under BYOL.
- License-included bundles the license in the rate
License-included pricing folds the third-party software license cost into the hourly instance rate, so you don't buy the license separately; AWS holds it. Choose it when you have no existing license and want simple pay-as-you-go; pick BYOL instead when you already own a reusable license.
Trap Reaching for BYOL when you have no existing license, which forces a fresh purchase, when license-included already bundles the software cost into the hourly rate for true pay-as-you-go.
- Dedicated Hosts are the BYOL vehicle
EC2 Dedicated Hostsgive you a physical server fully dedicated to your use and provide visibility into the number of sockets and physical cores. That visibility is why they support per-socket, per-core, and per-VM BYOL licenses (Windows Server, SQL Server, SUSE, RHEL) which are bound to the underlying hardware and need host affinity to stay compliant.Trap Reaching for Dedicated Instances when the license is bound to physical sockets or cores. Dedicated Instances give dedicated hardware but no visibility of sockets/cores, so they only partially support BYOL.
- Rightsizing matches resources to demand
Rightsizing continuously matches provisioned capacity to actual demand, so you stop paying for idle over-provisioned resources while still avoiding the performance risk of under-provisioning. It is the main source of ongoing cost savings once a workload is in the cloud, because cloud resources can be resized on demand rather than bought ahead.
Trap Treating Reserved Instance or Savings Plans commitments as rightsizing, when commitments only discount the rate and rightsizing is matching the instance size and count to actual demand.
3 questions test this
- After migrating workloads to AWS, an engineering manager wants AWS to analyze how the running Amazon EC2 instances actually use CPU,…
- A company operates several Amazon RDS database instances and believes some are over-provisioned for their actual workload. The company…
- A company already uses AWS Trusted Advisor but wants a service that analyzes historical utilization metrics and recommends optimal…
- Compute Optimizer recommends cost-effective sizes
AWS Compute Optimizeranalyzes configuration and CloudWatch utilization metrics (14-day default lookback) and recommends rightsizing acrossEC2instances, Auto Scaling groups,EBSvolumes, andLambdafunctions to cut cost and improve performance. When a question asks which service recommends a cheaper or better-fit instance size, this is the answer.Trap Naming Cost Explorer or Trusted Advisor as the dedicated machine-learning rightsizing engine across EC2, Auto Scaling, EBS, and Lambda, which is Compute Optimizer's specific role.
11 questions test this
- A company wants automated recommendations that analyze the utilization of its Amazon EBS volumes and suggest more cost-effective volume…
- A company runs containerized applications using Amazon ECS services on AWS Fargate and suspects the tasks are allocated more CPU and memory…
- After migrating workloads to AWS, an engineering manager wants AWS to analyze how the running Amazon EC2 instances actually use CPU,…
- A company operates several Amazon RDS database instances and believes some are over-provisioned for their actual workload. The company…
- A company already uses AWS Trusted Advisor but wants a service that analyzes historical utilization metrics and recommends optimal…
- A company is reviewing its workloads for the performance efficiency pillar of the Well-Architected Framework and wants automated…
- Users report that several of a company's Amazon EC2 instances run out of memory and CPU during peak hours, which suggests the instances may…
- A company suspects that many of its Amazon EC2 instances, Auto Scaling groups, and Amazon EBS volumes are over-provisioned. The company…
- A company runs many Amazon EBS volumes attached to its EC2 instances and believes several are provisioned with more capacity and throughput…
- A company runs an Amazon EC2 Auto Scaling group and wants recommendations indicating whether the instance types used in the group are…
- A company runs workloads on older-generation Amazon EC2 instances and wants data-driven recommendations that identify newer instance types…
- Automation cuts labor cost and idle spend
Automating operations reduces manual labor and human error, and scheduling idle dev/test resources to stop outside work hours can save up to ~75%. AWS's own example runs them 40 of the 168 weekly hours instead of all of them. The savings come from not paying for capacity that nobody is using.
- Cost Optimization is a Well-Architected pillar
The Well-Architected Cost Optimization pillar has five design principles: implement cloud financial management, adopt a consumption model, measure overall efficiency, stop spending money on undifferentiated heavy lifting, and analyze and attribute expenditure. Together they steer you toward paying only for value delivered rather than for raw infrastructure.
- Analyze and attribute expenditure
The cloud makes it easy to identify the cost and usage of each workload and attribute it transparently to revenue streams and individual workload owners. That attribution is what enables ROI measurement and underpins cost-allocation tagging, chargeback, and accountability for spend.
- Lift-and-shift alone may not save money
Migrating an oversized fleet unchanged can cost as much as, or more than, running it on-premises, because the savings come from rightsizing and shutting down idle resources, not from the move itself. Realized cloud savings depend on optimizing after migration, not on lift-and-shift alone.
Trap Assuming a lift-and-shift migration saves money by itself, when an oversized fleet moved unchanged can cost the same or more until you rightsize and shut down idle resources.
- Cost Explorer visualizes, groups, and forecasts cost and usage
AWS Cost Explorerprovides interactive graphs and tables to analyze cost and usage, filtering and grouping by dimensions such as service, linked account, Region, and cost-allocation tag to surface cost drivers. It shows up to the last 13 months of history and forecasts roughly the next 18 months from past patterns, and it generates rightsizing and Reserved Instance / Savings Plans purchase recommendations from your prior On-Demand usage.Trap Choosing AWS Budgets to visualize, group, and analyze historical cost drivers, when Budgets sets thresholds and alerts and Cost Explorer is the tool for interactive analysis and forecasting.
19 questions test this
- A company has multiple AWS accounts managed through AWS Organizations. The cloud financial management team wants to identify Amazon EC2…
- A company wants to analyze its AWS spending patterns over the past year and compare month-over-month cost changes by service. The company…
- A cloud operations team wants to analyze which AWS services are driving the most cost in their environment and identify potential cost…
- A company tags all of its AWS resources by department. The finance team wants to visualize and break down the company's historical AWS…
- A company uses AWS Organizations with multiple member accounts and wants to understand which linked accounts are driving the most AWS costs…
- A finance analyst at a large enterprise wants to break down and visualize how much each individual member account is spending so the…
- A company wants to compare its AWS spending from the previous month with the same month one year ago to identify year-over-year cost…
- A startup company needs to analyze how their AWS spending has changed over the past two years on a monthly basis to identify seasonal usage…
- A finance team wants to review the past several months of AWS spending and project likely future costs based on the account's historical…
- A financial analyst needs to create a visual report showing daily AWS spending trends grouped by AWS service for the past 14 days with…
- A financial services company is evaluating their Amazon EC2 usage to identify cost optimization opportunities. They want to receive…
- A manager notices that the monthly AWS bill is rising and wants to identify which services and time periods are driving the increase by…
- A manager wants to explore historical cost and usage data over several months using charts and filters to understand which AWS services are…
- A financial analyst needs to identify which Amazon EC2 instances are idle or underutilized to reduce unnecessary spending. The analyst…
- A company has been using AWS for six months and wants to analyze their spending patterns over the past year to identify cost trends by AWS…
- A company uses AWS Cost Explorer to understand their cloud spending trends. The finance team wants to forecast their AWS costs for the next…
- A company wants to analyze how its AWS costs have changed over the past three years to identify seasonal spending patterns and plan for…
- A company is reviewing their AWS compute costs and wants to identify opportunities to reduce expenses by analyzing their current On-Demand…
- A financial analyst at a company needs to compare this quarter's AWS spending against the same quarter from the previous year to identify…
- AWS Budgets forecasted alerts warn before you exceed budget
AWS Budgetscan alert on actual spend (after it accrues) or on forecasted spend (before it accrues). A forecasted alert fires when current patterns are projected to cross your threshold, giving you time to act proactively instead of finding out after the overspend. Forecasting needs some usage history before AWS can project a trend.Trap Expecting a forecasted alert to fire on a brand-new account with no usage history, when forecasting needs enough prior usage before AWS can project a trend.
5 questions test this
- A startup wants to receive notifications before their monthly AWS costs exceed their budget, rather than only being alerted after exceeding…
- A company wants to be notified when their monthly AWS costs are projected to exceed their allocated budget before the month ends, allowing…
- A startup needs to receive alerts before they actually exceed their monthly AWS budget. Which AWS Budgets notification type should they…
- A startup company wants to monitor their AWS spending and receive email alerts when their monthly costs reach 80% of their allocated…
- A financial analyst at a company wants to receive email alerts before the monthly AWS costs exceed the allocated budget amount. The analyst…
- AWS Budgets actions automate cost control at a threshold
AWS Budgetsactions turn an alert into enforcement: when a budget threshold is crossed they can apply an IAM policy that denies provisioning of new resources, attach a service control policy (SCP), or stop targetedEC2orRDSinstances. Each action runs either automatically or only after your manual approval, so a budget alert becomes real, enforced cost control.Trap Assuming a budget alert by itself stops spending, when only a configured Budgets action enforces control by denying provisioning, attaching an SCP, or stopping EC2 or RDS instances.
6 questions test this
- A company wants AWS Budgets to automatically stop specific Amazon EC2 instances when actual spending exceeds 90% of their monthly budget.…
- A development team wants to automatically prevent new resource provisioning when their AWS spending reaches 90% of their monthly budget.…
- A company wants AWS Budgets to automatically apply an IAM policy that prevents users from launching new EC2 instances when the monthly…
- A startup company wants to monitor their AWS spending and receive email alerts when their monthly costs reach 80% of their allocated…
- A startup wants to prevent unexpected cloud costs by automatically restricting the provisioning of new AWS resources when their monthly…
- A startup wants to automatically stop Amazon EC2 instances when their monthly AWS costs reach 90% of the allocated budget. Which AWS…
- AWS Pricing Calculator: free, no account, pre-tax estimates
AWS Pricing Calculatoris a free public web tool (at calculator.aws) that needs no AWS account or cloud experience, letting you model and price a solution before building it. Estimates include upfront, monthly, and annual costs but exclude any taxes, and you can sort them into groups that mirror your architecture and export them as CSV/PDF or a shareable saved link for stakeholders.Trap Reaching for AWS Pricing Calculator to analyze what you have already spent, when it only estimates a solution before you build it and Cost Explorer reports actual historical cost.
8 questions test this
- A startup company wants to use AWS Pricing Calculator to estimate costs for a new application deployment. They have never used AWS before.…
- A multinational corporation is building a business case for cloud migration. The migration team needs to organize cost estimates by…
- A startup company wants to estimate cloud costs before creating an AWS account. The company needs to understand the potential monthly…
- A company is evaluating a migration from on-premises infrastructure to AWS. The finance team needs to estimate the monthly cost of running…
- A company is comparing the costs of running workloads in their on-premises data center versus migrating to AWS. The IT team needs to…
- A company is planning to migrate its on-premises data center to AWS and needs to estimate the monthly costs for running Amazon EC2…
- A cloud architect has completed a cost estimate using AWS Pricing Calculator for a proposed cloud migration. The architect needs to share…
- A financial analyst is using AWS Pricing Calculator to prepare a comprehensive budget proposal for a cloud migration project. The analyst…
- EC2 purchasing options and when to use each
On-Demand carries no commitment and suits new, spiky, or unpredictable workloads. For steady, predictable usage, Reserved Instances and Savings Plans give large discounts (up to ~72%) in exchange for a 1- or 3-year commitment, with longer terms and All Upfront payment maximizing the discount. Standard RIs give the deepest discount but are fixed; Convertible RIs trade some discount for the ability to exchange instance attributes; EC2 Instance Savings Plans commit to an instance family in a Region while keeping size, AZ, and OS flexibility. A zonal (AZ-scoped) RI additionally reserves capacity in that Availability Zone, whereas a regional RI does not.
Trap Putting an unpredictable, spiky workload on a 3-year All Upfront commitment to chase the headline discount. You pay for reserved capacity that often sits idle, wiping out the savings.
6 questions test this
- A company is using a mix of EC2 instances across multiple instance families in a single AWS Region. The company wants to achieve…
- A company wants to purchase Reserved Instances for Amazon EC2 and needs the ability to exchange them for different instance attributes as…
- A startup is building a new application and wants to benchmark workloads on Amazon EC2 before making any capacity commitments. The team…
- A startup company is deploying its first application on AWS with unpredictable traffic patterns. The development team cannot forecast the…
- A company needs to reduce costs for a database application that will run continuously on the same EC2 instance type for the next three…
- A company has unpredictable workloads that occasionally require guaranteed capacity in a specific Availability Zone. They need assurance…
- AWS License Manager governs and tracks software licenses
AWS License Managercentrally tracks software-license consumption across AWS and on-premises (via Systems Manager inventory) from a single dashboard, and enforces rule-based hard or soft limits so usage stays within your purchased agreements; it is the governance tool for BYOL. It reduces the risk of overages and audit penalties, and lets software vendors (ISVs) issue and distribute licenses to their customers.Trap Naming AWS Systems Manager as the tool that enforces license limits and tracks consumption, when Systems Manager supplies inventory but License Manager is the governance tool that enforces the rules.
4 questions test this
- A company runs commercial database software both in its on-premises data center and on Amazon EC2 instances. The company wants a single…
- A company is moving to AWS and must decide between bringing its existing software licenses to AWS and using licenses included in the…
- An IT administrator wants to enforce limits on how many software licenses are consumed and prevent staff from launching more instances than…
- An independent software vendor distributes its application to customers who run it on AWS. The vendor wants to centrally issue software…
- Systems Manager automates fleet operations to cut labor cost
AWS Systems Managercentrally automates repetitive operational work across a large fleet without logging into servers: applying OS patches (Patch Manager), running one command on many nodes (Run Command), executing multi-step runbooks (Automation), and collecting software and configuration inventory. Replacing manual per-instance work at scale cuts operational effort and labor cost.Trap Reaching for Systems Manager to track license entitlements or recommend cheaper instance sizes, when those are License Manager and Compute Optimizer, while Systems Manager automates patching, commands, and runbooks.
4 questions test this
- An operations team spends significant time manually logging in to hundreds of Amazon EC2 instances to apply operating system patches. The…
- A company wants to centrally automate routine operational tasks, such as running the same command across a large fleet of servers, rather…
- A company has hundreds of existing servers and currently logs in to each one manually to gather details about installed software and…
- A company spends many staff hours manually performing multi-step operational procedures on existing instances, such as creating images and…
Security and Compliance
Security, Governance & Compliance
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Access Management
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- IAM is free and global
AWS Identity and Access Management (IAM)controls who is authenticated and authorized in an account, and it's a feature of your AWS account offered at no additional charge. You pay only for the other services your identities then use. It's global, not Regional, so a user, group, role, or policy you create works the same in every AWS Region rather than being scoped to one.Trap Assuming an IAM user or policy must be re-created per Region or that IAM carries a separate charge. IAM is global and free, unlike most AWS services.
- Root user has unrestricted access
The account root user signs in with the email address used to create the account and has complete access to every AWS service and resource. That access is effectively unlimited, which is why AWS strongly recommends not using it for everyday work and instead creating a separate administrative identity.
- Protect root with MFA and remove its access keys
Securing the root user means enabling
MFAon it, not creating (or deleting any existing) root access keys, and doing daily work from a separate administrative identity. AWS now mandates rootMFAand requires it to be registered within 35 days of the first console sign-in; the exam rewards answers that lock the root user away rather than hand it programmatic keys.Trap Creating root access keys so automation can run as the root user. Workloads should use an IAM role, and root should hold no access keys at all.
5 questions test this
- Following AWS best practices, what should a company do to protect its AWS account root user while still performing everyday administrative…
- A company is setting up their first AWS account and wants to follow security best practices for the root user. According to AWS…
- A security team wants to add an extra layer of sign-in protection to the AWS account root user so that a password alone is not sufficient…
- A startup recently created a new AWS account and needs to secure it according to AWS best practices. The account administrator wants to…
- A company recently created a new AWS account. The security team wants to implement multi-factor authentication (MFA) as quickly as possible…
- Some tasks are root-only
A short list of actions can be performed only by signing in as the root user, including changing the account's root email or password, closing the AWS account, restoring access after an IAM administrator locks themselves out, registering as a Reserved Instance Marketplace seller, and enabling S3 MFA Delete. For everything else, use an IAM or Identity Center administrative identity.
Trap Assuming routine admin work such as creating users or editing IAM policies needs the root user. Those are everyday IAM tasks, not the narrow root-only list.
- Least privilege limits blast radius
Least privilege means granting only the permissions an identity needs for its task and nothing more, narrowing what a compromised or mistaken credential can touch. On the exam, an option that attaches full administrator or
*permissions for convenience is almost always the wrong choice.Trap Attaching AdministratorAccess or a wildcard
*policy 'to keep things simple'. Convenience over least privilege is the classic distractor.6 questions test this
- A company is reviewing its IAM policies to implement least privilege access. The security team discovers that AWS managed policies attached…
- A security team configures each new IAM user to start with no permissions and then grants only the specific permissions required to perform…
- According to AWS security best practices, which principle should a company follow when assigning permissions to IAM users and roles?
- A company is using AWS managed policies for common job functions but wants to further restrict permissions for a specific team. What is the…
- An application running on an Amazon EC2 instance needs to read objects from an Amazon S3 bucket. The company wants to grant this access…
- A security administrator must give a data analyst permission to perform only a defined set of Amazon Athena and Amazon S3 actions, with no…
- Groups manage permissions for many users
An
IAMuser group is a collection of users that share the policies attached to the group, so adding a user to the group grants them its permissions in one step. Groups can't be nested (they hold only users, not other groups) and a group is not itself a principal you can authenticate or name in a policy'sPrincipal.Trap Treating a group as something you can sign in as or reference as a Principal in a resource policy. Groups relate to permissions, not authentication.
6 questions test this
- A company has multiple development teams with different AWS access requirements. The security team wants to simplify permissions management…
- A company wants to grant the same permissions to multiple IAM users who perform similar job functions. The company needs an efficient way…
- A company has 50 developers who need the same set of permissions to access Amazon S3 and Amazon EC2 resources. The security team wants to…
- A company's security policy requires that IAM policies attached to developers can ONLY be changed by security administrators, not by the…
- A company has multiple employees who need identical permissions to access AWS services. Following the principle of least privilege, what is…
- A company has multiple teams of developers who need identical permissions to access AWS resources. The security administrator wants to…
- Roles give temporary, auto-rotating credentials
An
IAMrole has no long-term password or access keys; when a principal assumes it,AWS STSissues short-lived credentials for that session that rotate automatically. Roles are the recommended way to grant access to AWS compute (Amazon EC2,AWS Lambda), to federated users, and across accounts.Trap Picking an IAM user with long-term access keys to grant an EC2 instance or Lambda function permissions. A role with auto-rotating temporary credentials is the recommended choice.
17 questions test this
- A company wants to allow users who are authenticated by a third-party identity provider to access AWS resources without creating individual…
- An application assumes an IAM role to obtain credentials that automatically expire after a short period instead of relying on long-term…
- A company contracts a third-party monitoring vendor that operates in its own separate AWS account and needs ongoing access to certain…
- A company's security team wants to allow users in a development AWS account to access resources in a production AWS account without sharing…
- A company runs an application on an Amazon EC2 instance. The application needs to read objects from an Amazon S3 bucket, and the company…
- A company wants to allow an application running on an Amazon EC2 instance to access an Amazon S3 bucket without storing long-term…
- An organization wants to grant an application running on an Amazon EC2 instance access to Amazon S3 without storing long-term credentials…
- A company needs to allow an application running on Amazon EC2 instances to securely access Amazon S3 buckets without storing long-term…
- Developers at a company need elevated permissions only occasionally to perform certain maintenance tasks. The security team wants to grant…
- An application running on an Amazon EC2 instance needs to access objects stored in Amazon S3. According to AWS security best practices, how…
- A security team is reviewing AWS IAM best practices. They want to ensure that applications running on Amazon EC2 instances access other AWS…
- An application running on an Amazon EC2 instance needs to read objects from an Amazon S3 bucket. The company wants to grant this access…
- A company has multiple AWS accounts and wants to allow users in a development account to access resources in a production account without…
- A company is building an application that runs on Amazon EC2 instances and needs to access Amazon DynamoDB tables. The security team…
- A company is implementing a security best practice for applications that require AWS access. The security team wants to ensure that…
- A company wants its IAM users to perform daily work with limited permissions but temporarily gain a higher level of permissions only when…
- A company wants to grant an Amazon EC2 instance secure access to an Amazon S3 bucket without storing long-term credentials on the instance.…
- Use roles, not access keys, for workloads
For workloads on AWS compute such as
Amazon EC2orAWS Lambda, attach anIAMrole rather than embedding an IAM user's access keys. AWS delivers and rotates the role's temporary credentials to the resource automatically, so there are no long-lived secrets to distribute or leak.Trap Storing an IAM user's access keys on an EC2 instance or in a Lambda environment variable. Embedded long-term keys are exactly what an attached role removes.
9 questions test this
- A company runs an application on an Amazon EC2 instance. The application needs to read objects from an Amazon S3 bucket, and the company…
- A company wants to allow an application running on an Amazon EC2 instance to access an Amazon S3 bucket without storing long-term…
- An organization wants to grant an application running on an Amazon EC2 instance access to Amazon S3 without storing long-term credentials…
- A company needs to allow an application running on Amazon EC2 instances to securely access Amazon S3 buckets without storing long-term…
- An application running on an Amazon EC2 instance needs to access objects stored in Amazon S3. According to AWS security best practices, how…
- A security team is reviewing AWS IAM best practices. They want to ensure that applications running on Amazon EC2 instances access other AWS…
- An application running on an Amazon EC2 instance needs to read objects from an Amazon S3 bucket. The company wants to grant this access…
- A company is building an application that runs on Amazon EC2 instances and needs to access Amazon DynamoDB tables. The security team…
- A company wants to grant an Amazon EC2 instance secure access to an Amazon S3 bucket without storing long-term credentials on the instance.…
- AWS managed vs customer managed policies
AWS managed policies are standalone policies written and updated by AWS for common use cases; customer managed policies are ones you create and tune for your specific needs. AWS advises starting from a managed policy (often by copying one) and tightening toward least privilege, since a broad managed policy rarely matches your exact requirement.
Trap Assuming you can edit an AWS managed policy to fit your needs. AWS owns and updates those, so you copy one into a customer managed policy to customize it.
19 questions test this
- A company wants to implement least-privilege access for its AWS resources. The security team needs to provide developers with permissions…
- A company is reviewing its IAM policies to implement least privilege access. The security team discovers that AWS managed policies attached…
- A company wants to grant permissions to IAM users efficiently while maintaining the ability to update permissions centrally. The company…
- A company wants to grant specific permissions to an IAM role while maintaining the ability to reuse the same set of permissions across…
- A company wants to grant its development team read-only access to Amazon EC2 and Amazon S3. The security administrator needs a solution…
- A company wants to create reusable permission policies that can be attached to multiple IAM users, groups, and roles across their AWS…
- A company wants to assign permissions to its IAM users by using predefined, standalone policies that AWS creates and maintains for common…
- A company is using AWS managed policies for common job functions but wants to further restrict permissions for a specific team. What is the…
- A security administrator needs to create an IAM policy that can be reused across multiple IAM users, groups, and roles while allowing the…
- A cloud administrator needs to create IAM policies tailored to the company's specific security requirements. The administrator wants full…
- A company's security policy requires that IAM policies attached to developers can ONLY be changed by security administrators, not by the…
- A cloud architect needs to grant permissions for common use cases across multiple IAM users in an AWS account. The architect wants a policy…
- A company's security policy requires that IAM policies be reusable across multiple IAM users, groups, and roles while being maintained and…
- A company wants to create a reusable permission set that can be attached to multiple IAM users and roles, and updated centrally when…
- A company wants to grant permissions to IAM users by using ready-made policies that align with common IT job functions and are kept up to…
- A company needs to grant permissions to an IAM user for a specific use case that no AWS managed policy adequately addresses. The security…
- A company is starting to implement IAM policies for new workloads and wants to grant common permissions quickly while understanding that…
- A security administrator must give a data analyst permission to perform only a defined set of Amazon Athena and Amazon S3 actions, with no…
- An administrator needs to apply the same permissions policy to multiple IAM users in different groups across the organization. The policy…
- MFA adds a second authentication factor
Multi-factor authentication requires something you have (a passkey or FIDO security key, a virtual authenticator app, or a hardware TOTP token) in addition to the password, so a stolen password alone can't sign in. AWS recommends enabling
MFAfor the root user and all privileged IAM users, and now ends support for SMS-based MFA.Trap Treating a strong or rotated password as multi-factor authentication. MFA requires a second, separate factor such as a security key or authenticator app, not just a better password.
4 questions test this
- A company wants each of its IAM users to provide a one-time code from an authentication app in addition to a password when they sign in to…
- A company enables multi-factor authentication for AWS Management Console sign-in. In addition to entering a password, which item represents…
- A company recently created a new AWS account. The security team wants to implement multi-factor authentication (MFA) as quickly as possible…
- A company wants to require a privileged IAM user to provide both a password and a one-time code from an authentication device when signing…
- Password policies set credential rules
An IAM account password policy sets minimum length, required character types, expiration, and reuse rules for IAM user console passwords. It governs only IAM user passwords (not the root user password, not access keys, and not federated or role-based sign-in) and it can't enforce a lockout after failed attempts.
Trap Expecting the IAM password policy to govern the root user's password or lock accounts after failed logins. It applies only to IAM user passwords and has no failed-attempt lockout.
- Secrets Manager stores and rotates secrets
AWS Secrets Managerencrypts secrets withAWS KMSand can rotate them automatically on a schedule, with managed (no-Lambda) rotation forAmazon RDS,Amazon Aurora,Amazon Redshift, andAmazon DocumentDBcredentials. Pick it over Parameter Store when you need built-in scheduled rotation of database or API credentials.Trap Reaching for Systems Manager Parameter Store when the requirement is automatic credential rotation. Parameter Store stores secrets but does not rotate them.
6 questions test this
- Some developers have proposed saving the application's sensitive credentials in a shared file inside an Amazon S3 bucket. The security team…
- A development team needs to store third-party API keys for an application, retrieve them at runtime, and have them rotated automatically on…
- A security review finds that developers have hardcoded database passwords directly in their application source code. The company must…
- A company already uses AWS Key Management Service (AWS KMS) to manage its encryption keys. The company now needs a service whose primary…
- A web application uses SSL/TLS certificates for its HTTPS endpoints and also relies on a database password to connect to its backend. The…
- An application connects to an Amazon RDS database using a password. The company wants to store this database credential securely and have…
- Parameter Store is the low-cost secret/config option
AWS Systems ManagerParameter Store holds configuration values and secrets, encryptingSecureStringparameters withAWS KMS, and its standard tier carries no additional charge. Choose it for simple, low-cost storage when you don't need automatic rotation. AWS itself points you toSecrets Managerfor rotating credentials.Trap Choosing Parameter Store when the requirement calls for built-in automatic rotation. That scheduled rotation is Secrets Manager's job, not Parameter Store's.
3 questions test this
- A company wants a single place to store credentials and other configuration values used by its applications. Staff update these values…
- A company wants a central, low-cost place to store application configuration data, including a few values that must be encrypted. The…
- A development team wants a low-cost way to centrally store application configuration data, such as plaintext settings and encrypted secure…
- Never hard-code secrets in code
Database passwords, API keys, and tokens belong in
AWS Secrets ManagerorAWS Systems ManagerParameter Store, not in source code or config files where anyone who can read the app can extract them. The application fetches the secret at runtime, so credentials never live in the codebase.Trap Treating an encrypted source file or a 'private' repository as a safe place to store credentials. Anyone who can read the app can extract embedded secrets, so they belong in Secrets Manager or Parameter Store.
- IAM Identity Center centralizes workforce access
AWS IAM Identity Center(renamed from AWS Single Sign-On in 2022) gives employees one sign-in and one portal to all the AWS accounts and applications they're assigned, and can connect to an existing identity provider. It's the answer for centralized workforce access across many accounts, instead of creating duplicate IAM users in each one.Trap Creating duplicate IAM users in every account for centralized employee access. IAM Identity Center provides one sign-in across all accounts and is the intended answer.
3 questions test this
- A company manages its workforce identities in a corporate directory and wants employees to use a single sign-on experience to access…
- A company manages many AWS accounts in AWS Organizations and wants its employees to sign in one time and then access assigned AWS accounts…
- A company uses an external corporate identity provider and wants employees to sign in once to access multiple AWS accounts in its AWS…
- Permission sets assign multi-account access
In
AWS IAM Identity Centeryou define a permission set (a reusable template of IAM policies) then assign a group to an account with it; Identity Center provisions a matching IAM role in that account and lets the users assume it. Sessions are temporary, defaulting to a one-hour AWS account session (up to 12 hours).- Federation reuses existing logins
Identity federation lets users authenticate with an external identity provider (a corporate directory or a SAML 2.0 / OIDC provider) and then assume an
IAMrole for temporary AWS access. No new AWS password is created and access stays managed in the existing directory, so there are no long-term AWS credentials to distribute.Trap Creating a matching IAM user for each employee already in the corporate directory. Federation lets them assume a role with their existing login instead of issuing new AWS credentials.
4 questions test this
- A company wants to allow users who are authenticated by a third-party identity provider to access AWS resources without creating individual…
- A company manages its workforce identities in a corporate directory and wants employees to use a single sign-on experience to access…
- A company manages many AWS accounts in AWS Organizations and wants its employees to sign in one time and then access assigned AWS accounts…
- A company uses an external corporate identity provider and wants employees to sign in once to access multiple AWS accounts in its AWS…
- Cross-account roles avoid duplicate users
To let one account's principals work in another account you own, create an
IAMrole in the target account whose trust policy names the source account, then grant those principals permission to callSTSAssumeRole. This delegates access without creating and maintaining duplicate IAM users in every account.Trap Creating a second IAM user with its own access keys in the other account for cross-account access. A role assumed via STS delegates access without duplicate users or long-term keys.
4 questions test this
- A company contracts a third-party monitoring vendor that operates in its own separate AWS account and needs ongoing access to certain…
- A company's security team wants to allow users in a development AWS account to access resources in a production AWS account without sharing…
- A company wants to grant users in Account A access to resources in Account B. The company does not want to create duplicate IAM users in…
- A company has multiple AWS accounts and wants to allow users in a development account to access resources in a production account without…
- Workforce identity is not application end-user identity
IAMandAWS IAM Identity Centergovern your workforce's access to AWS accounts and resources. Signing in the end users of your own web or mobile app is a separate customer-identity concern handled byAmazon Cognito, not by these workforce services.Trap Choosing IAM Identity Center to authenticate the customers of your public app. That's Amazon Cognito's job; Identity Center is for your workforce.
- FIDO security keys are the phishing-resistant MFA option
FIDO security keys are physical devices that use public-key cryptography for strong, phishing-resistant authentication that TOTP codes can't match. They need no batteries, and a single key can back multiple root and IAM users, which makes them AWS's recommended MFA type for highly privileged accounts.
Trap Picking an SMS text-message or TOTP authenticator code as the phishing-resistant MFA option. Only FIDO security keys use public-key cryptography that resists phishing.
6 questions test this
- A company wants to enhance security for their AWS account by implementing MFA. The security team requires a phishing-resistant…
- A security administrator needs to implement the MOST phishing-resistant multi-factor authentication (MFA) method for highly privileged IAM…
- A company's security policy requires the strongest, phishing-resistant multi-factor authentication (MFA) for administrators who sign in to…
- A company wants to use physical MFA devices to protect its AWS account root user and IAM users. The security team is evaluating hardware…
- A company is evaluating MFA options for their IAM users who access the AWS Management Console. The security team requires a solution that…
- A security administrator needs to implement the strongest phishing-resistant multi-factor authentication for the AWS account root user. The…
- IAM policy types: identity-based, inline, trust, and service-linked
Identity-based policies are JSON documents attached to IAM users, groups, or roles to define what they can do. An inline policy is embedded in a single identity in a strict one-to-one relationship and is deleted with it; a managed policy is preferred when more than one identity needs it. A role's trust policy names which principals may assume the role, and a service-linked role is predefined and owned by an AWS service, so administrators can view but not edit its permissions.
4 questions test this
- A company is setting up Amazon Lex bots and notices that AWS automatically creates a role with specific permissions for the service. The…
- A company wants to grant permissions by attaching JSON permissions documents directly to its IAM users, groups, and roles to control what…
- A company wants to attach a permissions policy that maintains a strict one-to-one relationship with a single IAM user, so that the policy…
- A solutions architect needs to configure an IAM role that allows an AWS service to perform actions on behalf of the company. The role must…
Security Components & Resources
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Cloud Technology and Services
Deployment & Operating Methods
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Console, CLI, SDKs, and APIs all hit one control plane
The
AWS Management Console,AWS CLI, andAWS SDKsare all clients that ultimately call the same public serviceAPIs: the API is the single control plane beneath all of them. Picking a method is a workflow choice (clicking vs. scripting vs. embedding in app code), not a capability choice, since none of them can do anything the API can't.Trap Assuming the CLI or SDK can perform some action the Console can't (or vice versa), when all four are just clients of the same underlying API and share its capabilities.
- Anything you can do in the Console is also in the CLI/API
AWS commits that all IaaS administration, management, and access functions available in the
Management Consoleare also available through theAPIandAWS CLI; new IaaS features reach full Console parity through the API and CLI at launch or within 180 days of launch. So "the Console can do it but the CLI can't" is essentially never the right reasoning for an IaaS task.Trap Treating an IaaS task as Console-only because it looks click-driven, when AWS guarantees the same functions through the API and CLI within 180 days of a feature's launch.
- The Management Console is the browser-based GUI
The
AWS Management Consoleis a browser-based, point-and-click interface, best for one-time setup, learning, visual exploration, and dashboards. Its weakness is repeatability: clicks leave no reusable artifact, so the same setup done twice can drift apart.3 questions test this
- A cloud practitioner needs to make a single ad-hoc adjustment to one existing AWS resource. The change will never need to be repeated or…
- A finance manager wants to review cost and resource dashboards interactively in a web browser and check overall account activity at a…
- A new cloud team member who is unfamiliar with AWS wants to explore services and launch resources by using a visual, point-and-click web…
- Reach for the CLI to script and automate from a terminal
The
AWS CLIis a single command-line tool that gives direct access to the public service APIs from your shell, with commands roughly equivalent to the Console's actions. That makes tasks scriptable, repeatable, and automatable: the answer when a scenario says "automate," "from a script," or "from the terminal."Trap Choosing the SDK for a shell-driven automation task, when 'from a script' or 'from the terminal' points at the CLI rather than embedding calls in application code.
3 questions test this
- A systems administrator needs to manage AWS resources by writing automated shell scripts that run commands from a terminal. Which access…
- A company wants a single downloadable tool that administrators can use to control multiple AWS services by typing commands at a terminal on…
- A DevOps engineer wants to add AWS commands into an existing continuous integration pipeline's shell scripts so that test resources are…
- Use SDKs to call AWS from inside application code
AWS SDKsare language-specific libraries (Python, JavaScript, Java, .NET, Go, and more) for calling AWS services programmatically from within your own application. The cue is "from my application" or a named language: an app integrating S3 or DynamoDB uses the SDK, not the CLI.Trap Reaching for the CLI when the scenario says 'from my application' or names a programming language, where calling AWS in-process is the SDK's job, not the shell's.
4 questions test this
- A company's development team needs to build an application that programmatically interacts with multiple AWS services. The application must…
- A developer wants to integrate AWS service calls directly into a custom Python application by using language-specific libraries. Which…
- A company's development team needs to build applications that interact with AWS services. The team includes developers using Java, Python,…
- A company wants to integrate AWS services into their custom Java application to automate S3 bucket management. The development team wants…
- Every AWS action is ultimately an API call
Service
APIsare the common foundation beneath the Console, CLI, and SDKs: each of those is just a different front end onto the same HTTPS API calls. Understanding this explains why a permission, a quota, or an action behaves identically no matter which interface you used.- One-off clicks are fine; repeatability needs scripting or IaC
Manual
Consoleclicks suit a one-time task, but repeating them by hand invites configuration drift and inconsistency between environments. When a scenario stresses consistent, repeatable provisioning across accounts or Regions, the answer shifts to scripting (CLI/SDK) or Infrastructure as Code (CloudFormation).Trap Reaching for the Console to stand up identical environments repeatedly, where manual clicks guarantee drift instead of a reproducible result.
- CloudFormation is AWS-native Infrastructure as Code
AWS CloudFormationis AWS's Infrastructure as Code service: you describe resources in a declarative JSON or YAML template, and it provisions and configures the whole collection together as a single unit called a stack, handling dependency ordering for you. It's the AWS-native answer whenever a scenario wants resources modeled as code and deployed predictably.9 questions test this
- A company needs to provision an identical set of networking, compute, and database resources repeatedly across its development, test, and…
- A development team wants to deploy identical infrastructure to multiple AWS Regions using AWS CloudFormation. Which approach should the…
- A company is adopting infrastructure as code practices using AWS CloudFormation. What is a PRIMARY benefit of using CloudFormation…
- A developer wants to integrate AWS resource provisioning into an automated deployment pipeline so that infrastructure is created the same…
- An operations team currently builds its environments by manually clicking through the console, which has led to inconsistent results and…
- A company wants to manage a collection of related AWS resources as a single unit that can be provisioned, updated, and removed together by…
- A company wants to define its AWS infrastructure in reusable template files so that identical environments can be deployed repeatedly…
- A company uses AWS CloudFormation to manage its infrastructure. When creating a new stack, CloudFormation provisions the resources that are…
- A company wants to replicate an identical infrastructure stack in a second AWS Region for disaster recovery, using version-controlled…
- IaC gives repeatable, version-controlled, reviewable environments
Infrastructure as Code defines resources in a text template, so environments can be reproduced identically, committed to version control, peer-reviewed, and torn down on demand: the same revision discipline developers apply to source code. It's the right answer when a scenario stresses consistency, repeatability, or change tracking.
10 questions test this
- A company needs to provision an identical set of networking, compute, and database resources repeatedly across its development, test, and…
- A development team wants to deploy identical infrastructure to multiple AWS Regions using AWS CloudFormation. Which approach should the…
- A company is adopting infrastructure as code practices using AWS CloudFormation. What is a PRIMARY benefit of using CloudFormation…
- A company needs to deploy the same standardized set of resources into several AWS accounts and multiple Regions in a consistent, repeatable…
- A developer wants to integrate AWS resource provisioning into an automated deployment pipeline so that infrastructure is created the same…
- An operations team currently builds its environments by manually clicking through the console, which has led to inconsistent results and…
- A solutions team is deciding which task is best suited to infrastructure as code rather than a one-time manual operation. Which scenario is…
- A company wants to manage a collection of related AWS resources as a single unit that can be provisioned, updated, and removed together by…
- A company wants to define its AWS infrastructure in reusable template files so that identical environments can be deployed repeatedly…
- A company wants to replicate an identical infrastructure stack in a second AWS Region for disaster recovery, using version-controlled…
- CloudFormation itself is free; you pay only for what it builds
There is no additional charge for
AWS CloudFormationwhen it provisions AWS resource types (theAWS::*namespace): you pay only for the underlying resources it creates, exactly as if you'd made them by hand. (Third-party/registry resource types and Hooks are the narrow exception, billed per handler operation.)Trap Assuming CloudFormation adds a service fee on top of the resources it provisions, when AWS resource types carry no extra CloudFormation charge.
- CloudFormation auto-rolls-back on failure and spans accounts/Regions
AWS CloudFormationmanages a stack as one unit: if a create or update fails, it automatically rolls the resources back to their previous working state rather than leaving a half-built stack. With StackSets, a single template can also deploy and manage resources across many accounts and Regions at once.- Workloads run cloud, hybrid, or on-premises
A deployment model is chosen by where the workload runs: cloud (fully in AWS), hybrid (cloud resources connected to existing on-premises infrastructure), or on-premises (your own data center, sometimes called private cloud). Match it to latency, data-residency, and migration constraints rather than treating cloud as automatically correct.
- A cloud deployment runs the whole application in AWS
A cloud (all-in) deployment runs every part of the application in AWS, whether built there natively or migrated in, giving elasticity, global reach, and pay-as-you-go pricing with no hardware to own. It's the default for cloud-native apps with no on-premises tie.
- Hybrid connects on-premises infrastructure to AWS
A hybrid deployment connects existing on-premises infrastructure with cloud resources, extending the data center into AWS rather than replacing it. The usual drivers are phased migration, low-latency local processing, data-residency rules, and protecting prior on-premises investment.
4 questions test this
- A retail company is moving its existing applications to AWS but must continue operating a legacy inventory system in its own data center…
- A government agency operates in a country that has no nearby AWS Region. Regulations require citizen data to be processed within the…
- An insurance company will keep its core mainframe system running in its own data center while building all new customer-facing applications…
- A manufacturing company must keep certain workloads running on its own factory floor because of very low latency requirements and local…
- Outposts extends AWS hardware and APIs into your facility
AWS Outpostsis a fully managed service that places AWS-designed hardware in your own data center and runs it using the same APIs, tools, and management as an AWS Region: AWS operates it as an extension of a Region. It's the go-to for a consistent hybrid experience when low-latency or local-data needs require AWS infrastructure on-site.Trap Picking a plain Site-to-Site VPN or Direct Connect link when the requirement is actually AWS compute and storage physically on-premises, which only Outposts provides.
3 questions test this
- Which statement correctly describes the difference between AWS Local Zones and AWS Outposts?
- A government agency operates in a country that has no nearby AWS Region. Regulations require citizen data to be processed within the…
- A manufacturing company must keep certain workloads running on its own factory floor because of very low latency requirements and local…
- An on-premises deployment keeps everything in your data center
An on-premises (private cloud) deployment runs entirely in your own data center using virtualization and resource-management tools, with no public-cloud component, forgoing most cloud benefits in exchange for dedicated, fully local resources. It's chosen when strict isolation or full physical control is mandatory.
- Let keywords steer you to the right interface
Map the scenario's wording to the interface: "point-and-click / new to AWS / visual" →
Console; "script / terminal / automate" →CLI; "from my application code / a named language" →SDK; "repeatable / consistent / template / Infrastructure as Code" →CloudFormation. The keyword is usually the whole signal.8 questions test this
- A development team is building an iOS application and wants the app to call AWS services directly from within its source code by using a…
- A company wants to automate the process of creating Amazon EC2 instances and managing Amazon S3 buckets across multiple AWS accounts. A…
- A company wants to automatically tear down its non-production environments every evening and recreate them identically each morning to…
- A non-technical project manager who is new to AWS needs to view account activity and launch a few resources by using a visual,…
- A business analyst who is new to AWS wants to explore service dashboards and review the status of resources through a visual,…
- A company wants to define its entire AWS environment in template files that can be version controlled and reused to provision identical…
- A cloud administrator needs to execute AWS commands from a terminal on their local workstation to automate resource management tasks. The…
- A company needs to perform a one-time configuration of a small number of resources and prefers a guided, interactive experience in a web…
- Drift detection, change sets, and stack delete control a stack
CloudFormationgives three core stack controls: drift detection flags resources whose live configuration no longer matches the template (e.g., someone edited them in the console); change sets preview exactly which resources an update will add, modify, or delete before you execute it; and deleting the stack removes all its provisioned resources together in one coordinated operation.Trap Confusing change sets with drift detection, when change sets preview an update before you run it and drift detection reports out-of-band edits after they happen.
4 questions test this
- A systems administrator notices that an Amazon EC2 instance managed by AWS CloudFormation has a different security group configuration than…
- A company uses AWS CloudFormation to manage its infrastructure. A developer made configuration changes to an Amazon EC2 instance directly…
- A company deploys a complex set of related AWS resources by using AWS CloudFormation. The company now wants to remove every resource that…
- A solutions architect wants to preview the impact of proposed template modifications before updating a production CloudFormation stack. The…
Global Infrastructure
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Compute Services
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- EC2 gives the most control and the most management
Amazon EC2provides resizable virtual servers where you own the OS and stay responsible for patching, scaling, and capacity, so it trades maximum control for maximum operational work. Pick it for legacy or licensed apps, a specific operating system, or long-running stateful workloads that need low-level access.Trap Reaching for EC2 when the scenario's real goal is to minimize operational overhead. That points at a managed or serverless service instead.
- Lambda runs code with no servers to manage
AWS Lambdaruns event-driven code in response to triggers like S3 uploads, API calls, and schedules, with no servers to provision and billing only while your code executes. It is the answer whenever a scenario says "run code without managing servers" and scales automatically with the request rate.Trap Choosing
Amazon EC2for a short event-driven task whose requirement is explicitly "no servers to manage."5 questions test this
- A solutions team is comparing AWS Lambda and AWS Fargate for new workloads. Which statement correctly describes a key difference between…
- A development team wants to run code in response to file uploads in an Amazon S3 bucket without provisioning or managing any servers, and…
- A company is evaluating AWS Lambda for a new application. Which benefit does AWS Lambda provide that eliminates the need to plan for…
- A company wants to run a small script automatically every night to delete temporary records. The script runs for less than a minute, and…
- A company needs to run a data cleanup task every day at midnight. The task takes approximately 5 minutes to complete. Which combination of…
- Lambda caps a single invocation at 15 minutes
AWS Lambdacaps one invocation at 15 minutes, so anything longer-running belongs onAmazon EC2,AWS Fargate, orAWS Batch. The 15-minute ceiling is the single most-tested Lambda limit, so match the workload's runtime against it before answering.Trap Pointing a job that needs more than 15 minutes at Lambda. It will time out, not stretch.
- Fargate runs containers without managing servers
AWS Fargateis a serverless, pay-as-you-go compute engine that runsAmazon ECSorAmazon EKStasks without you provisioning, patching, or scaling EC2 hosts. Pick it for "run containers but don't manage the underlying servers," paying only for the resources each task uses.Trap Selecting the EC2 launch type for containers when the scenario explicitly says the team should not manage the underlying instances.
8 questions test this
- A startup company wants to run containerized applications on AWS without managing the underlying infrastructure. The company prefers the…
- A retailer runs a long-running containerized backend service that must stay available continuously to handle customer requests. The…
- A solutions team is comparing AWS Lambda and AWS Fargate for new workloads. Which statement correctly describes a key difference between…
- A company is evaluating container orchestration options on AWS. The company wants to use a single serverless compute engine that works with…
- A company is migrating containerized applications to AWS and wants to use AWS Fargate. The architecture team needs to understand which…
- A company is evaluating container orchestration services on AWS. The team needs to run containers using either Amazon ECS or Amazon EKS…
- A startup company is running microservices on AWS Fargate with Amazon ECS. The company wants to understand how they will be charged for…
- A company is migrating a legacy .NET Framework application to AWS. The application runs in Windows containers and the company wants to…
- ECS is AWS-native orchestration; EKS is managed Kubernetes
Amazon ECSis AWS's own container orchestrator, whileAmazon EKSis managed, conformant Kubernetes for teams already standardized on Kubernetes tooling. Choose EKS when the scenario stresses existing Kubernetes skills or portability; choose ECS for a generic "run containers on AWS" with less Kubernetes overhead.Trap Picking
Amazon EKSwhen no Kubernetes requirement exists. It adds Kubernetes complexity that plainAmazon ECSavoids.13 questions test this
- A media company plans to run the same containerized applications on AWS and on other cloud providers, and it wants to avoid reconfiguring…
- A company is migrating its containerized applications to AWS. The development team has extensive experience with Kubernetes and wants to…
- A startup wants to run containerized applications on AWS with the simplest possible AWS-native experience. The team has no Kubernetes…
- A company is migrating from an on-premises environment and has development teams experienced with Kubernetes. The teams want to continue…
- A company is migrating containerized applications to AWS and wants to use AWS Fargate. The architecture team needs to understand which…
- A development team uses Kubernetes-native tools such as kubectl and Helm charts to manage its applications and wants AWS to operate the…
- A company runs several long-running containerized microservices that must be scheduled, placed, and managed together as a cluster on AWS.…
- A development team has existing Kubernetes workloads and wants to migrate them to AWS while continuing to use standard Kubernetes tools and…
- A company is forming a new platform team whose engineers are all certified in Kubernetes. The company wants to run containers on AWS in a…
- A startup wants to run its containerized microservices on AWS by using a fully managed, AWS-native container orchestration service. The…
- An enterprise has a corporate governance policy that requires all teams to use Kubernetes-conformant orchestration so that workloads stay…
- A development team wants to package an application together with all of its dependencies so that the workload runs consistently across the…
- An enterprise has decided to standardize on Kubernetes across all of its application teams and wants AWS to run a highly available, managed…
- ECR stores and versions container images
Amazon Elastic Container Registry (ECR)is a managed registry that stores, versions, and shares the container images thatAmazon ECS,Amazon EKS, andAWS Lambdapull at deploy time. It supports private repositories with IAM-based access control.Trap Confusing
Amazon ECR, which stores the container images, withAmazon ECS, which runs them: the registry holds images while the orchestrator schedules the running containers.- Auto Scaling is elasticity made automatic
Amazon EC2 Auto Scalinglaunches instances when demand rises and terminates them when it falls, keeping capacity matched to load between a minimum, desired, and maximum size. This automatic add-and-remove behavior is the exam-level definition of cloud elasticity.Trap Equating elasticity with high availability. Spreading across Availability Zones is the HA mechanism, while elasticity is scaling capacity to demand.
4 questions test this
- A company is designing a web tier that must spread incoming user traffic evenly across Amazon EC2 instances and also adjust the number of…
- A company wants its application to benefit from cloud elasticity by automatically adding Amazon EC2 capacity when demand rises and removing…
- A company operates a retail application on Amazon EC2 instances and runs a major promotional sale at the same scheduled time every week.…
- A company runs a web application on a fleet of Amazon EC2 instances. Traffic to the application surges during business hours and drops…
- ELB spreads traffic across healthy targets
Elastic Load Balancing(ELB) automatically distributes incoming traffic across multiple targets in one or more Availability Zones, runs health checks, and routes only to healthy targets so one failed instance doesn't take the app down. It also scales its own capacity as traffic changes.Trap Confusing
Elastic Load BalancingwithAmazon Route 53for spreading traffic: ELB balances requests across targets within and across Availability Zones, while Route 53 does routing at the DNS level.3 questions test this
- A company is designing a web tier that must spread incoming user traffic evenly across Amazon EC2 instances and also adjust the number of…
- A company is deploying a critical web application on AWS and wants to ensure the application remains available if a data center experiences…
- A web application runs on several Amazon EC2 instances in a single AWS Region. The company wants to spread incoming user requests evenly…
- Auto Scaling plus ELB is the HA pattern
Pairing
Amazon EC2 Auto ScalingwithElastic Load Balancingkeeps the right number of healthy instances running and spreads traffic across them and across Availability Zones: the canonical AWS pattern for high availability and cost-efficiency under changing load. Auto Scaling adjusts the count; ELB distributes the traffic.Trap Assuming a load balancer alone adds capacity. ELB only distributes traffic;
Amazon EC2 Auto Scalingis what changes the instance count.- Match the EC2 family to the workload's bottleneck
Amazon EC2instance families target resource profiles: general purpose (balanced), compute optimized (CPU-bound batch and HPC), memory optimized (large in-memory data), storage optimized (high local-disk IOPS), and accelerated computing (GPUs for ML and graphics). The exam describes a bottleneck and asks which family fits it.6 questions test this
- A media production studio needs to run frequent, CPU-bound video transcoding and large batch processing jobs that depend on…
- A media production company runs frequent video encoding and batch processing jobs that are limited by processor performance rather than…
- A company operates an in-memory database and in-memory analytics workload that must process very large data sets entirely in memory. Which…
- A company hosts a high-throughput NoSQL database that demands tens of thousands of low-latency random I/O operations per second from fast…
- A team operates a large NoSQL database that requires very high, low-latency random I/O operations per second from local instance storage.…
- A company is launching a new corporate website and a small backend database. The workload uses compute, memory, and networking resources in…
- Compute optimized fits CPU-bound work
Compute-optimized
Amazon EC2instances offer a high CPU-to-memory ratio for compute-bound workloads such as batch processing, high-performance computing, media transcoding, high-performance web servers, and machine-learning inference. Reach for this family when raw processing power, not RAM, is the constraint.Trap Choosing compute optimized for a large in-memory dataset. That RAM-bound profile wants the memory-optimized family instead.
- Memory optimized fits large in-memory data
Memory-optimized
Amazon EC2instances provide a large amount of RAM per instance for workloads that process big data sets in memory, such as in-memory and high-performance databases, in-memory caches, and real-time big-data analytics. Reach for this family when memory, not CPU, is the constraint.Trap Picking memory optimized for a CPU-bound batch or HPC job. That compute-bound profile wants compute optimized instead.
- Accelerated computing means GPU-backed instances
Accelerated-computing
Amazon EC2instances add hardware accelerators such as GPUs to handle floating-point math, graphics processing, and pattern matching far faster than CPUs alone, fitting machine-learning training and inference, graphics rendering, and scientific simulation. The hardware accelerator is the distinguishing feature.Trap Provisioning GPU-backed accelerated instances for a general-purpose web or CPU workload. You pay for accelerators the app never uses.
- Lightsail is the simple, fixed-price server
Amazon Lightsailbundles a virtual server, storage, and networking into a plan at a low, predictable monthly price: the simplest choice for a small website, blog, or simple app versus assembling rawAmazon EC2and VPC pieces yourself.Trap Reaching for
Amazon Lightsailwhen the workload needs fine-grainedAmazon EC2instance choice, advanced networking, or large-scale auto scaling.- Elastic Beanstalk runs your uploaded code for you
AWS Elastic Beanstalktakes uploaded application code and automatically provisions the EC2 instances, load balancing, auto scaling, and health monitoring to run it, while you keep full access to and control of the underlying AWS resources. It is the PaaS-style "just deploy my app" answer.Trap Assuming Elastic Beanstalk hides or locks the underlying resources. You retain full access to the EC2 instances and other AWS resources it creates.
- AWS Batch runs many batch jobs and provisions the compute
AWS Batchruns large numbers of batch computing jobs and automatically provisions the right quantity and type of compute (acrossAmazon EC2, Spot, andAWS Fargate) based on the jobs submitted. It is the answer for "run many batch jobs at scale" rather than standing up servers yourself.Trap Standing up a single
Amazon EC2server to grind through a large batch-job fleet instead of letting AWS Batch provision and scale the compute.- Less management means less low-level control
Moving from
Amazon EC2toward containers and then serverless (AWS Fargate,AWS Lambda) hands more of the stack to AWS and cuts operational overhead, but gives up low-level runtime control. The exam frames this as "reduce operational overhead" versus "need full control over the environment."Trap Choosing
Amazon EC2to "reduce operational overhead". It maximizes control but also maximizes the management you own.
Database Services
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Network Services
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Storage Services
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
AI/ML & Analytics Services
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Other In-Scope Services
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Billing, Pricing, and Support
Pricing Models
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- More commitment means a bigger discount
AWS compute pricing trades commitment for savings:
On-Demandcarries no commitment and the highest hourly rate, whileReserved InstancesandSavings Planscut up to ~72% off On-Demand for a 1- or 3-year term. Within those terms, the 3-year length and a larger upfront payment (All Upfront > Partial Upfront > No Upfront) each yield a deeper discount.Trap Assuming a No Upfront commitment earns no discount, when it still delivers the term savings just below the All Upfront and Partial Upfront tiers.
3 questions test this
- A company runs a production database on a specific Amazon EC2 instance type that must operate continuously for the next three years. The…
- A company runs a production database on Amazon EC2 that operates continuously 24 hours a day and has had steady, predictable usage for the…
- A company runs a production database on Amazon RDS for MySQL with consistent, predictable usage 24 hours a day, 7 days a week. The database…
- On-Demand is for unpredictable or short-term workloads
On-Demandbills the published per-second/per-hour rate with no upfront cost and no contract. It fits new, spiky, short-term, or unpredictable workloads where a 1- or 3-year commitment would risk paying for capacity you don't use.Trap Putting a steady, always-on production workload on On-Demand and paying full rate when a Savings Plan or Reserved Instance would cut the bill up to ~72%.
3 questions test this
- A startup company is developing a new application and needs to run EC2 instances for testing during unpredictable hours. The testing…
- A startup is launching a new web application and cannot predict how much traffic it will receive. The application must run reliably without…
- A retail company is launching a two-week marketing campaign and expects an unpredictable, short-term spike in web traffic. The company…
- A Reserved Instance is a discount, not a server
A
Reserved Instanceis a billing discount applied to matching On-Demand usage, not a physical instance you hold. The discount attaches automatically to running instances that match its attributes: instance type, Region, tenancy, and platform/OS.Trap Treating a Reserved Instance as a launched/provisioned server you must start, rather than a billing benefit applied to matching On-Demand usage.
- Standard RIs discount more; Convertible RIs can be exchanged
Standard Reserved Instancesgive the largest discount but can only be modified, never exchanged.Convertible Reserved Instancesdiscount less but can be exchanged for another Convertible RI with different attributes, the right choice when future instance needs may change.Trap Choosing a Standard RI when the instance family or size may change later. Standard RIs can't be exchanged, only Convertible ones can.
- Regional RIs give flexibility but no reserved capacity
A regional
Reserved Instancedoes not reserve capacity, but its discount carries Availability Zone flexibility (any AZ in the Region) plus instance size flexibility within the same family, the latter only on Linux/Unix with default tenancy. Reach for it when you want the discount to float across AZs and sizes rather than guarantee a launch.Trap Assuming a regional RI guarantees capacity in an AZ. It provides a discount and flexibility, but a zonal RI is what reserves capacity.
- Zonal RIs reserve capacity in one AZ
A zonal
Reserved Instancereserves capacity in one specified Availability Zone, but it has no AZ flexibility and no instance size flexibility: the discount applies only to the exact instance type and size in that AZ. Use it when a launch must be guaranteed in a particular zone.Trap Expecting a zonal RI's discount to float across Availability Zones like a regional RI, when it is pinned to the one AZ and exact instance size you specified.
- Savings Plans commit to dollars per hour, not a config
A
Savings Plancommits you to a consistent compute spend in dollars per hour for a 1- or 3-year term, and AWS applies the discount automatically to matching usage. Unlike a Reserved Instance pinned to specific instance attributes, the commitment is just a spend rate, making it the more flexible way to save up to ~72% on compute.Trap Thinking a Savings Plan locks you to a specific instance type or configuration like a Reserved Instance, when the commitment is only an hourly dollar spend.
- Compute Savings Plans are the most flexible option
Compute Savings Plansapply the discount to EC2 usage regardless of instance family, size, AZ, Region, OS, or tenancy, and they also coverAWS FargateandAWS Lambda. AWS recommends Savings Plans over Reserved Instances as the default, easiest way to save (up to ~72%) on compute.Trap Reaching for an EC2 Instance Savings Plan as the most flexible choice because it discounts more, when only the Compute Savings Plan floats across families, Regions, Fargate, and Lambda.
4 questions test this
- A company has steady compute usage spread across Amazon EC2, AWS Lambda, and AWS Fargate. The company wants a single discounted pricing…
- A company has predictable, ongoing usage of AWS Lambda and AWS Fargate and wants to lower these compute costs by making a usage commitment…
- A company wants to lower its compute costs by committing to a consistent amount of compute usage measured per hour for one year. The…
- A company wants to reduce its compute costs by committing to a consistent amount of usage measured in dollars per hour for a 1-year term.…
- EC2 Instance Savings Plans lock to a family in a Region
EC2 Instance Savings Plansgive a larger discount than Compute Savings Plans but lock you to one instance family in a chosen Region. Within that family and Region you can still vary size, OS, AZ, and tenancy, so pick it when the family and Region are stable but the discount edge matters.Trap Buying an EC2 Instance Savings Plan when you may shift instance families or Regions. It locks to one family in one Region; a Compute Savings Plan floats across both.
- RIs and Savings Plans don't cover Fargate or Lambda, only Compute SPs do
Reserved Instances and EC2 Instance Savings Plans apply to EC2 only. When savings must also span
AWS FargateorAWS Lambda, theCompute Savings Planis the one option that covers all three.Trap Buying Reserved Instances expecting them to discount Fargate or Lambda. Only a Compute Savings Plan covers those services.
3 questions test this
- A company has steady compute usage spread across Amazon EC2, AWS Lambda, and AWS Fargate. The company wants a single discounted pricing…
- A company has predictable, ongoing usage of AWS Lambda and AWS Fargate and wants to lower these compute costs by making a usage commitment…
- A company wants to reduce its compute costs by committing to a consistent amount of usage measured in dollars per hour for a 1-year term.…
- Spot Instances are cheapest but interruptible
Spot Instancesrun on spare EC2 capacity at up to ~90% off On-Demand, but AWS can reclaim them with only a two-minute interruption notice when it needs the capacity back. They suit fault-tolerant, stateless, or batch work, never a steady production database that can't survive sudden termination.Trap Running a steady-state production database on Spot. A two-minute reclaim notice can terminate it mid-write.
5 questions test this
- A startup company runs a nightly batch data processing job that can tolerate interruptions and takes approximately 4 hours to complete. The…
- A media company runs a nightly video-encoding batch job that is fault tolerant and can be stopped and resumed without affecting the final…
- A media company runs video rendering jobs that can be interrupted and restarted without impact. The jobs typically complete within 2 hours…
- A media company runs video encoding jobs that can be interrupted and resumed at any time. The jobs typically take several hours to complete…
- A startup runs batch processing jobs that can be interrupted without impacting business operations. The jobs typically complete within 2…
- Spot fits batch, CI/CD, analytics, and rendering
Spot Instancesfit interruption-tolerant work: batch processing, big-data analytics, CI/CD, rendering, and containerized jobs that can resume after a node is reclaimed. The common thread: a lost instance just reruns, so the up-to-90% discount comes at no real cost.5 questions test this
- A startup company runs a nightly batch data processing job that can tolerate interruptions and takes approximately 4 hours to complete. The…
- A media company runs a nightly video-encoding batch job that is fault tolerant and can be stopped and resumed without affecting the final…
- A media company runs video rendering jobs that can be interrupted and restarted without impact. The jobs typically complete within 2 hours…
- A media company runs video encoding jobs that can be interrupted and resumed at any time. The jobs typically take several hours to complete…
- A startup runs batch processing jobs that can be interrupted without impacting business operations. The jobs typically complete within 2…
- Dedicated Host vs Dedicated Instance: visibility into hardware
A
Dedicated Hostis a whole physical server dedicated to you, with visibility into its sockets and physical cores, enabling per-socket/per-core bring-your-own-license reuse and host affinity. ADedicated Instancealso runs on single-tenant hardware for your account but bills per instance and gives no socket/core or host-level visibility.Trap Choosing a Dedicated Instance for per-socket/per-core BYOL. Only a Dedicated Host exposes socket and core counts for that licensing.
3 questions test this
- A financial firm must run software that is licensed per physical socket and per core, and it needs visibility into the number of sockets…
- A healthcare company must run certain Amazon EC2 workloads on hardware that is physically isolated from instances belonging to other AWS…
- A company must comply with a software licensing agreement that is bound to physical servers and requires visibility into the number of…
- Capacity Reservations guarantee capacity, not a discount
An
On-Demand Capacity Reservationreserves EC2 capacity in a specific Availability Zone for any duration but carries no pricing discount on its own: it bills at On-Demand rates. Combine it with a Savings Plan or a regional Reserved Instance to get both the guaranteed capacity and a discount.Trap Buying an On-Demand Capacity Reservation expecting a price cut. It guarantees capacity at On-Demand rates; pair it with a Savings Plan or regional RI for the discount.
- Reservations are shared across an Organization by default
With AWS Organizations consolidated billing, unused
Reserved InstanceandSavings Plandiscounts are shared across all member accounts by default, so a reservation bought in one account benefits matching usage elsewhere. The management account can deactivate this sharing per account from Billing preferences.Trap Assuming an RI or Savings Plan discount only benefits the account that bought it, when consolidated billing shares unused discounts across the whole Organization by default.
- Data transfer IN is free; OUT to the internet is charged
Inbound data transfer from the internet into AWS is free. Outbound data transfer to the internet is charged per GB above a 100 GB/month free allowance (aggregated across services and Regions), which makes reducing egress a primary cost-optimization lever.
Trap Budgeting for inbound data transfer charges, when transfer from the internet into AWS is free and only egress to the internet is billed.
2 questions test this
- Cross-Region and cross-AZ data transfer cost money
Data transfer between AWS Regions is charged, and data transfer between Availability Zones in the same Region is charged in both directions (typically ~$0.01/GB each way). Traffic that stays within a single AZ over private IP is generally free.
Trap Assuming cross-AZ traffic is free like same-AZ traffic. Moving data between AZs in a Region is billed in both directions.
- Pick the S3 storage class by access frequency and retrieval time
Lower S3 storage cost means accepting slower or rarer access. For millisecond access: S3 Standard (frequent), Standard-IA (about monthly), and Glacier Instant Retrieval (about quarterly, lowest-cost still-instant tier). One Zone-IA undercuts Standard-IA by storing in a single AZ, safe only for re-creatable or secondary copies. For archives that tolerate delay: Glacier Flexible Retrieval (minutes to hours; Standard ~3-5 h) and Glacier Deep Archive (Standard within 12 h, Bulk within 48 h; the lowest-cost class overall). Use Intelligent-Tiering for unknown or changing patterns: it moves objects between tiers automatically with no retrieval fees.
Trap Putting an irreplaceable primary copy in One Zone-IA to save money. Its single AZ isn't resilient to that AZ's loss; use Standard-IA for the only copy.
8 questions test this
- A company stores legal documents in Amazon S3 that must be retained for 7 years. The documents are accessed once or twice per year for…
- A media company needs to archive video content that will be accessed approximately once per quarter and requires millisecond retrieval…
- A healthcare company must retain compliance records for at least 10 years. The records are almost never accessed, and a retrieval time of…
- A company keeps a secondary copy of data in Amazon S3 while the primary copy remains in its on-premises data center. The cloud copy is…
- A hospital archives medical images that are accessed only about once per quarter, but when an image is requested it must be retrieved…
- A company stores frequently accessed data in Amazon S3 Standard but wants to reduce costs when objects become infrequently accessed. The…
- A company stores 50 TB of data in Amazon S3 Standard and has unpredictable access patterns. The company wants to reduce storage costs…
- A company keeps datasets in Amazon S3 that are accessed only about once a month, but when a request occurs the data must be available…
- Same-Region transfers and transfers into CloudFront are free
AWS charges no data-transfer fee for data moving between services in the same Region, for example S3-to-EC2 or copying between two same-Region S3 buckets (request and storage charges still apply). Data pulled from an AWS origin such as S3, an ALB, or EC2 into
Amazon CloudFrontis also free. Charges hit data going OUT to the internet and data crossing Regions or Availability Zones.Trap Expecting a data-transfer charge when CloudFront pulls from an S3 or EC2 origin, when transfer from an AWS origin into CloudFront and between same-Region services is free.
7 questions test this
- A company currently serves static assets from Amazon S3 directly to users on the internet and wants to understand which data transfer…
- A company copies a large number of objects from one Amazon S3 bucket to another Amazon S3 bucket, and both buckets are located in the same…
- A company uses Amazon CloudFront to distribute static website content that is stored in an Amazon S3 bucket used as the origin. The company…
- A startup company is building an application that stores user-generated content in Amazon S3. The application downloads approximately 500…
- A media company uses a third-party CDN while hosting video content on AWS. The solutions architect suggests switching to Amazon CloudFront.…
- A company hosts static website content in Amazon S3 and serves files directly to users across the globe. The cloud team wants to reduce…
- A company runs an application on Amazon EC2 instances that frequently read objects from an Amazon S3 bucket. Both the EC2 instances and the…
Billing & Cost Management
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Technical Resources & Support
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.