SAA-C03 Cheat Sheet
Design Secure Architectures
Secure Access to AWS Resources
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Give workloads an IAM role, never embedded static keys
An IAM role attached to compute hands out short-lived credentials that AWS rotates automatically, so there is nothing long-lived to leak: attach one to anything that calls AWS. Each service has its own role flavor: EC2 gets an instance profile, Lambda an execution role, ECS a task role, EKS uses IRSA, and GitHub Actions federates via OIDC
AssumeRoleWithWebIdentity. Static access keys are the fallback only when something genuinely can't assume a role, like legacy SaaS that can't do OIDC.Trap Baking long-lived access keys into an instance or your code: a permanent secret leaks once and stays compromised forever, whereas role credentials expire and rotate on their own.
3 questions test this
- A solutions architect is designing an application that runs on Amazon EC2 instances and needs to access objects in an Amazon S3 bucket…
- Within a single AWS account, a company's operators normally have read-only permissions. A few times per week they must perform a sensitive…
- A solutions architect is deploying an application on an Amazon EC2 instance. The application needs to read and write objects in an Amazon…
- 5+ humans → federate through IAM Identity Center, not IAM users
When workforce access reaches real scale, keep the identities in your existing IdP (AD, Okta, Entra, or Google) and bind them through Identity Center permission sets, assigned as
(group × account × permission set)so access stays centralized and group-managed instead of being copied into every account. AWS renamed AWS SSO to IAM Identity Center[7] in 2022, so treat both names as one service. Stand-alone IAM users and self-managed federation fragment identity across accounts instead of driving it from one source.Trap Reaching for local IAM users or Cognito to handle staff access: local IAM users only make sense for a 2-3-person startup, and Cognito User Pools are for your end-customers rather than staff, so neither will scale or centralize.
- A permission boundary caps maximum permissions, it never grants any
A permission boundary sets a ceiling on what an IAM principal can do, effective permissions are the intersection
identity Allow ∩ boundary Allow ∩ no Deny ∩ no SCP Deny, so it can only ever subtract, never add. That makes it the right tool for delegated administration: developers create their own roles while the boundary guarantees those roles can never exceed it, stoppingiam:*privilege escalation without you reviewing every role by hand.Trap Expecting a permission boundary to grant access: it only ever intersects, so an action missing from the identity policy stays denied no matter what the boundary allows.
5 questions test this
- A company wants to allow its development team to create IAM roles for their applications while preventing privilege escalation. The…
- A company wants to allow developers to create IAM roles for their applications while ensuring the roles cannot have more permissions than…
- A company wants to allow its application developers to create and manage IAM roles for their workloads. However, the security team must…
- A company is implementing a delegated administration model where different teams can create IAM roles for their applications. The security…
- A company has an IAM user with an identity-based policy that allows full access to Amazon DynamoDB. The administrator has attached a…
- Cross-account access = role with a trust policy +
sts:AssumeRole Cross-account access works by account B creating a role whose trust policy names principals in account A; A then calls
sts:AssumeRoleand receives temporary credentials, so access flows through short-lived sessions rather than shared secrets and every assume can be audited and conditioned. Harden the trust policy for the situation: addsts:ExternalIdwhen the caller is a third-party SaaS to defeat the confused deputy, and requireaws:MultiFactorAuthPresentwhen a human assumes the role.Trap Sharing access keys across accounts just to skip setting up a role: that hands out permanent credentials and loses the per-assume conditions like ExternalId and MFA that a trust policy gives you.
8 questions test this
- A security engineer needs to enable an application running in AWS account A to access an Amazon S3 bucket in AWS account B. The application…
- A company has a production AWS account and a security audit account. The security team in the audit account needs to assume a role in the…
- A company has two AWS accounts: Account A (111111111111) for production workloads and Account B (222222222222) for its security team. The…
- A third-party SaaS provider needs to access resources in a company's AWS account to perform automated cost analysis. The company's security…
- A company in AWS account A needs to allow an application running in AWS account B to write objects to an Amazon S3 bucket in account A. The…
- A company wants to allow developers in a development AWS account to assume roles in a production AWS account to access Amazon S3 buckets.…
- A company manages multiple AWS accounts using AWS Organizations. Administrators in a central security account need to assume roles in…
- A company has a development AWS account and a production AWS account in the same AWS Organizations organization. Engineers who have IAM…
- Third-party assuming your role → pin
sts:ExternalId, not just their ARN When a SaaS vendor assumes a role in your account, pin
sts:ExternalId[12] in the trust policy'sCondition: the vendor issues a unique ID for your account and your trust policy checks it on every AssumeRole, rejecting any request that doesn't carry your specific ID. This closes the confused-deputy gap. The vendor's own role is the principal, but the ExternalId proves the request was meant for your account and not another customer's.Trap Pinning only the vendor's principal ARN: it feels like enough but isn't, because another customer of that same vendor could be tricked into supplying your role ARN, the classic confused-deputy attack.
4 questions test this
- A company grants a third-party vendor access to its AWS account by creating an IAM role that the vendor can assume. The vendor provides the…
- A company is onboarding a third-party SaaS vendor to monitor its AWS infrastructure. The vendor requires cross-account access to assume an…
- A third-party SaaS provider needs to access resources in a company's AWS account to perform automated cost analysis. The company's security…
- A company is setting up cross-account access for a third-party application. The application runs in an external AWS account (444444444444)…
- SCPs only restrict member accounts; they never grant access
Service Control Policies[10] attach at an AWS Organizations root or OU and set the outer guardrail on what member accounts can do, capping every principal in those accounts. But an SCP only restricts, never permits, so it shapes the ceiling rather than opening a door. Granting actual access is still the job of identity and resource policies inside the accounts; the SCP just bounds what those policies are allowed to reach.
Trap Reaching for an SCP to let account B read a bucket in account A: that's the wrong layer, because access comes from a bucket policy in A plus a role in A that a principal in B assumes.
5 questions test this
- A company governs its multi-account environment with AWS Control Tower. A new internal compliance rule requires that a specific API action…
- A company stores audit logs in a centralized account within AWS Organizations. Security leadership wants to guarantee that no member…
- A solutions architect attaches a service control policy (SCP) to an organizational unit that explicitly allows access to several AWS…
- A company recently migrated to AWS and created several new S3 buckets. The security team wants to ensure that all buckets in the account…
- A company uses AWS Organizations to manage many member accounts. The security team must ensure that individual account administrators…
- Service needs to act on your behalf → it's a service-linked role
A service-linked role[11] is one AWS auto-creates, predefines, and manages when you enable a feature like Auto Scaling, Organizations, ECS, or Lambda@Edge, so the service has exactly the permissions it needs to act for you with no policy authoring from you. Because AWS owns the role's permissions, you can't reshape it the way you'd scope a normal role. The answer to "how does Service X act on my behalf" is usually that the SLR already exists.
Trap Hand-authoring a custom role for a feature that uses a service-linked role. AWS owns the SLR's permissions, so you can't reshape it the way you'd scope an ordinary role.
- Block IMDS SSRF by enforcing IMDSv2 (
HttpTokens=required) IMDSv2[2] requires a caller to first fetch a session token with a PUT before any metadata GET, breaking the SSRF chain where an app flaw tricks the server into reading role credentials from
169.254.169.254. A forged GET can't complete the PUT handshake. Enforce it on the launch template withHttpTokens=required, or org-wide with an SCP that denies any launch not requiring it, so no instance can quietly fall back to token-less IMDSv1.Trap Leaving IMDSv1 on just because the instance "is behind a load balancer": IMDSv1 needs no token, so any server-side request forgery in your app can reach the metadata endpoint and exfiltrate the role credentials.
- An explicit
Denyanywhere wins over everyAllow An explicit
Denyin any policy layer short-circuits the whole evaluation[13], so noAllowanywhere can override it. IAM evaluates SCP, permission boundary, identity policy, and resource policy together, and a single Deny among them ends the decision. A deny is therefore the reliable way to carve out a hard exception, and troubleshooting "why is this blocked" means hunting for the explicit Deny rather than piling on more Allows.Trap Assuming an admin with
*:*can do anything. When "Admin can't access the bucket" the cause is almost always an explicitDenyon their principal in the resource policy.- Role sessions are 1h by default, up to 12h via
MaxSessionDuration A role session defaults to 1 hour and extends through the role's
MaxSessionDuration[14], settable between 1 and 12 hours, while IAM Identity Center permission sets carry their own 1–12h duration. Short sessions are the security default because the credentials expire on their own, so you raise the cap only as far as a genuinely long-running task needs.Trap Expecting a federated session to run the full
MaxSessionDuration: it's capped by both the IdP token lifetime and the role's MaxSessionDuration, and the shorter of the two wins.- Central admin into Org accounts →
OrganizationAccountAccessRole The
OrganizationAccountAccessRoleis created automatically with full admin in any account that joins AWS Organizations[15] (whether created in or invited into the org) and it trusts the management account, so the cross-account admin path is pre-wired and a central security account simply assumes it. That removes the per-account bootstrap of hand-building a trust role each time a new account joins.Trap Hand-building a cross-account trust role in every new Org account:
OrganizationAccountAccessRoleis created automatically and already trusts the management account.- Find accidental public/cross-account grants with IAM Access Analyzer
IAM Access Analyzer[16] reasons over resource policies on S3 buckets, IAM roles, KMS keys, Lambda functions, SQS queues, and Secrets Manager and flags any grant to a principal outside your account or organization, catching the "this bucket policy accidentally allows the internet" problem before an attacker does. It's free to enable per region, the systematic alternative to manual policy review that can't keep up as policies multiply.
Trap Reaching for GuardDuty or Macie to catch an over-permissive resource policy: those watch threats and data, whereas IAM Access Analyzer reasons over the policies themselves for external access.
- Grant a resource to your whole org with
aws:PrincipalOrgID The
aws:PrincipalOrgIDglobal condition key, placed in a resource policy such as a bucket policy, admits only principals whose accounts belong to the named AWS Organization, so you express "anyone in my org" once instead of enumerating account IDs. Because it matches on org membership rather than a fixed list, any account you add later is covered automatically with no policy edit.Trap Listing every account ID in the Principal element instead: that doesn't scale and silently leaves out new accounts, whereas
aws:PrincipalOrgIDgrows with the org.4 questions test this
- A company hosts a data lake in Amazon S3 and needs to restrict bucket access to only members of its AWS organization. The security team…
- A company has a centralized data lake in an S3 bucket that needs to be accessed by applications in over 100 AWS accounts within the same…
- A company has multiple AWS accounts within an AWS Organizations structure. The security team wants to configure an Amazon S3 bucket policy…
- A company is using AWS Organizations with multiple AWS accounts. The company has an S3 bucket in one account that should only be accessible…
- Cross-account S3 needs BOTH a bucket policy and an IAM policy
Cross-account S3 is authorized only by the intersection of both sides when the requesting identity and the bucket sit in different accounts: a bucket policy in the resource account granting the action to the cross-account principal, plus an identity-based policy in the requesting account allowing that principal to reach the bucket ARN. Either side alone leaves a gap, because each account independently has to consent to the access.
Trap Setting only the bucket policy (or only the IAM policy) for cross-account S3: either side alone leaves a gap, because both accounts must independently allow the access.
8 questions test this
- A company has an S3 bucket in Account A that contains financial reports. Users in Account B need to read these reports. A solutions…
- A company stores data in an Amazon S3 bucket in its own AWS account. A business partner that uses a separate AWS account must be able to…
- A company has two AWS accounts: Account A (production) and Account B (analytics). The analytics team in Account B needs read access to…
- A solutions architect is designing cross-account access for an application in Account A (account ID 111111111111) that needs to write…
- A security engineer needs to enable an application running in AWS account A to access an Amazon S3 bucket in AWS account B. The application…
- A company has two AWS accounts: Account A (111122223333) for production workloads and Account B (444455556666) for analytics. The analytics…
- A company has an S3 bucket in Account A that contains application logs. Users in Account B need read access to objects in this bucket. The…
- A solutions architect needs to grant users in a different AWS account (Account B) the ability to read objects from an S3 bucket owned by…
- Require recent MFA on a role with aws:MultiFactorAuthAge
The
aws:MultiFactorAuthAgecondition on a trust policy gates role assumption on recently re-authenticated MFA: set a NumericLessThan in seconds, where 3600 requires the MFA to be under an hour old. This puts sensitive actions behind a fresh step-up, because the condition measures how long ago the MFA happened rather than merely that it ever happened.Trap Using
aws:MultiFactorAuthPresentinstead: it only confirms MFA happened at some point in the session, not how recently, so a session authenticated hours ago still passes.
Secure Workloads and Applications
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Data Security Controls
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Encrypt compliance data both at rest and in transit
Compliance data needs protection on both legs of its life (audits like HIPAA, PCI, and GDPR require it), so encrypt at rest with SSE/
KMSand in transit with TLS, because neither covers the other. S3 already applies SSE-S3 by default since Jan 2023, so the at-rest leg is mostly handled, but in transit is on you: enforce it with a bucket policy that denies any request whereaws:SecureTransportisfalse, forcing every connection onto TLS.Trap Assuming S3's default SSE-S3 also protects data in transit: at-rest encryption says nothing about TLS; enforce the transit leg separately by denying
aws:SecureTransport=false.3 questions test this
- A company stores sensitive customer data in an S3 bucket and must ensure that all requests to the bucket use encrypted connections. The…
- A company stores sensitive financial data in an S3 bucket that must only be accessed through HTTPS connections. The security team has…
- A company requires that all data transferred to and from an S3 bucket must be encrypted in transit using TLS. The bucket stores healthcare…
- Pick a KMS key type by control and cost, lowest first
Pick the cheapest KMS key tier that still meets your control requirement, climbing only as far as you need. AWS-owned keys are free but give no visibility; AWS-managed keys are free and add a CloudTrail audit trail; customer-managed keys cost ~$1/key/month plus per-request but unlock your own key policy, cross-account sharing, and rotation control; and
CloudHSMis the most expensive, giving a dedicated single-tenant FIPS 140-2 Level 3 module. The control you require pushes you up a tier, not a default reflex.Trap Reaching for
CloudHSMfor routine encryption: it's only worth it when you genuinely need single-tenant FIPS 140-2 Level 3, otherwise it just costs more than a customer-managed key.5 questions test this
- A healthcare company requires that encryption keys used for patient data be stored in single-tenant hardware security modules (HSMs) to…
- A healthcare company must meet regulatory compliance requirements that mandate full control over encryption keys used to protect patient…
- A financial services company has regulatory requirements mandating that encryption keys must be stored in hardware security modules (HSMs)…
- A company needs to share an encrypted Amazon RDS snapshot with a partner organization in a different AWS account. The RDS database is…
- A company encrypts its Amazon EBS volumes at rest. The operations team needs to share an encrypted EBS snapshot with a separate AWS account…
- Control S3 access at the bucket level, not per object
Govern an S3 bucket with account- and bucket-level controls (Block Public Access plus default encryption) so protection applies uniformly and can't be undone object by object. Bucket-wide controls are the right altitude because they're auditable and don't drift, whereas per-object ACLs and policies multiply with object count, so they don't scale and are painful to verify across a large bucket.
Trap Securing a bucket with per-object ACLs: they're easy to misconfigure and impossible to audit at scale, which is exactly why Block Public Access exists to override them.
3 questions test this
- A security team discovers that developers have inadvertently made several S3 buckets publicly accessible through bucket policies and ACLs.…
- A company recently experienced a security incident where an S3 bucket was accidentally made public by a developer. The company wants to…
- A company recently migrated to AWS and created several new S3 buckets. The security team wants to ensure that all buckets in the account…
- Use Macie to find and classify sensitive data in S3
Macieis the managed service for discovering and classifying sensitive data (PII, PHI, financial data, credentials) in S3, using AWS-managed identifiers plus your own custom regex and routing findings throughEventBridgefor auto-remediation. It works on data already stored, scanning asynchronously, and runs ~$1/GB scanned, which is why you point it at the buckets that matter rather than sweeping the whole org blindly.Trap Expecting
Macieto be a real-time inline guard on uploads: it's an asynchronous discovery and classification job over data at rest, not an upload-path filter.12 questions test this
- A company enables Amazon Macie to perform automated sensitive data discovery and wants to implement an automated workflow that responds to…
- A company stores customer data in Amazon S3 buckets across multiple AWS accounts. The security team must discover and classify sensitive…
- A healthcare organization is using Amazon Macie to scan S3 buckets for sensitive patient data. The organization has specific internal…
- A healthcare company stores millions of objects in Amazon S3, and some objects contain personally identifiable information (PII) and…
- A company wants to implement automated remediation when Amazon Macie detects high-severity sensitive data findings in S3 buckets. The…
- A retail company is building an analytics data lake on Amazon S3 that ingests data from many sources. The security team needs a fully…
- A healthcare organization needs to detect proprietary patient record identifiers stored in Amazon S3 buckets. These identifiers follow a…
- A healthcare organization needs to configure Amazon Macie to detect custom patient identifier formats that are specific to their internal…
- A healthcare company needs to ensure compliance with HIPAA regulations by identifying protected health information (PHI) stored in Amazon…
- A company uses Amazon Macie to discover sensitive data in their S3 buckets. The security team needs to detect employee ID numbers that…
- A company has thousands of Amazon S3 buckets. The security team wants to identify which buckets are publicly accessible and also contain…
- A healthcare company stores patient records in Amazon S3 buckets across multiple AWS accounts managed by AWS Organizations. The security…
- New S3 buckets have been SSE-S3 encrypted by default since Jan 2023
Every new S3 bucket gets SSE-S3 automatically[1] since January 2023 with no action from you, and you can upgrade a bucket to SSE-KMS whenever you want tighter key control. The change is forward-looking, so buckets and objects created before 2023 may still be unencrypted: find them with the AWS Config rule
s3-bucket-server-side-encryption-enabledrather than assuming the default reached back in time.Trap Assuming the Jan-2023 default went back and encrypted old objects: it only applies to new buckets and objects, so legacy data stays unencrypted until you audit it.
- KMS automatic rotation is yearly and opt-in for customer-managed keys
Customer-managed keys rotate the underlying key material automatically once a year[18] (the 365-day default, configurable to a shorter custom period via
RotationPeriodInDays) but only after you opt in with theEnableKeyRotationAPI. It's off until you ask for it. AWS-managed keys already rotate yearly with nothing to configure. The exception is imported key material: KMS can't regenerate material it didn't create, so it never auto-rotates and you rotate it by re-importing.Trap Turning on
EnableKeyRotationand assuming imported key material rotates too. It's excluded, so it stays static until you manually re-import.- KMS deletion is never instant: a 7–30 day window you can cancel
Deleting a KMS key is never instant:
ScheduleKeyDeletion[19] starts a mandatory 7–30 day waiting period, and you canCancelKeyDeletionanytime inside it. The delay is deliberate: destroying a key makes everything it encrypted permanently unreadable, so the window is your chance to catch a mistake before it's irreversible. CloudHSM is the contrast: it lets you destroy a key immediately because you own the HSM.Trap Counting on a deleted KMS key being recoverable like a soft-deleted resource: once the window elapses it's gone for good, so
CancelKeyDeletionduring the window is your only safety net.- Macie cost scales with data, so scan once then target critical buckets
Macie charges ~$1/GB scanned plus per-object analysis, so the bill tracks how much data you point it at: steep on petabyte-scale buckets, and rescanning unchanged data adds cost without adding signal. The cost-aware pattern is one full discovery pass after a migration, then scheduled monthly scans limited to critical buckets, using
excludes[15] filters to skip large prefixes you already know are non-sensitive.Trap Running continuous org-wide Macie discovery to be thorough: rescanning the same data over and over just multiplies the per-GB cost for no new signal, so scope and schedule it instead.
3 questions test this
- A security team is configuring Amazon Macie's automated sensitive data discovery feature. The team wants to exclude S3 buckets that store…
- A company uses Amazon Macie to perform automated sensitive data discovery across their Amazon S3 environment. The company has S3 buckets…
- A solutions architect is configuring Amazon Macie to discover sensitive data across hundreds of S3 buckets containing petabytes of data.…
- Give a short-lived workload a key with a KMS grant, not a policy edit
When a short-lived workload needs key access, issue a grant[20], a temporary, programmatic permission you create with
kms:CreateGrantand retire when done, because a grant is scoped to specific operations and goes away cleanly. Editing the key policy is permanent and shared: it changes who can use the key until someone edits it back, so it's wrong for ephemeral consumers. This is exactly the mechanism AWS services like RDS encryption use, creating grants for you behind the scenes.Trap Editing the key policy for every ephemeral consumer: it permanently bloats the policy and has to be revoked by hand, whereas a grant is scoped and retirable for exactly this case.
3 questions test this
- A company uses Amazon S3 to store sensitive financial data. The security team requires that all data be encrypted using AWS KMS customer…
- A company is deploying an application that uses Amazon RDS with encryption enabled using an AWS KMS customer managed key. The application…
- A company uses a customer managed AWS KMS key to encrypt data at rest. A third-party batch processing application that runs under a…
- Lock a KMS key to one service with the kms:ViaService condition
The
kms:ViaService[21] condition in a key policy (e.g.Condition: { StringEquals: { kms:ViaService: "s3.us-east-1.amazonaws.com" } }) restricts a key so it can be used only when the request comes through that one service in that one Region. It checks which service is making the call on a principal's behalf, defending against stolen credentials being replayed against the key through some other service: a containment control that complements, not replaces, the permissions on the principal itself.Trap Assuming
kms:ViaServicerestricts which principal can use the key: it constrains the calling service and Region, not the identity, so it pairs with principal-level permissions rather than replacing them.4 questions test this
- A financial services company is implementing encryption at rest for sensitive data stored in Amazon S3. The security team requires that a…
- A company is deploying an application that uses Amazon RDS with encryption enabled using an AWS KMS customer managed key. The application…
- A company uses AWS KMS customer managed keys to encrypt data across multiple AWS services including Amazon S3, Amazon EBS, and Amazon RDS.…
- A company uses AWS KMS customer managed keys to encrypt Amazon EBS volumes. The security team wants to ensure that only the Amazon EC2…
- Use S3 Object Lock for immutable retention. Compliance mode blocks even root
S3 Object Lock provides WORM (write-once-read-many) immutability in two modes: Governance, where a privileged admin can still override the lock, and Compliance, where nobody (not even the root user) can shorten retention or delete during the window. Compliance satisfies records rules like SEC 17a-4(f), FINRA, and CFTC[22] precisely because no one can tamper with it. You apply it per object or as a bucket default retention policy, and versioning must be enabled first.
Trap Using Governance mode for a regulatory WORM requirement: a privileged admin can override it, so only Compliance mode satisfies SEC 17a-4(f)-style immutability.
- An ACM cert for CloudFront has to live in us-east-1
An ACM certificate attached to CloudFront must be requested or imported in US East (N. Virginia) / us-east-1, regardless of where your origin or users sit, because CloudFront is a global service that distributes that single us-east-1 certificate out to every edge location. A cert created in any other Region won't appear in the CloudFront console for you to select.
Trap Requesting the ACM cert in the origin's Region where your ALB or S3 bucket lives: CloudFront only sees certificates in us-east-1, so it'll never appear for you to attach.
4 questions test this
- A solutions architect is configuring an Amazon CloudFront distribution to serve content for a web application using a custom domain name.…
- A company hosts a website using Amazon CloudFront with an Application Load Balancer as the origin. The company wants to use a custom domain…
- A company is deploying a new web application that uses Amazon CloudFront as the content delivery network. The application requires HTTPS…
- A company is deploying a web application that uses Amazon CloudFront with a custom domain name. The company has requested an SSL/TLS…
- For cross-account S3 uploads, set Object Ownership to Bucket owner enforced
Setting S3 Object Ownership to Bucket owner enforced makes the bucket owner automatically own every object (even ones uploaded from another account) while ACLs are disabled entirely, so access is governed purely by bucket and IAM policies. That's the clean fix for cross-account uploads, where by default the uploading account retains ownership of its objects and leaves the bucket owner unable to read them. It's now the recommended default for new buckets for exactly this reason.
Trap Granting the bucket owner an ACL on each cross-account object instead: that's brittle per-object work, whereas Bucket owner enforced transfers ownership automatically and removes ACLs entirely.
10 questions test this
- A company has enabled S3 Object Ownership with the Bucket owner enforced setting on a bucket used for storing application logs. Partner…
- A company recently migrated to AWS and is using Amazon S3 to store application data. The company's legacy application uploads objects to S3…
- A company has an existing S3 bucket that was created before April 2023 and uses ACLs to grant read access to several external AWS accounts.…
- A company recently migrated to AWS and has multiple teams uploading objects to a shared S3 bucket from different AWS accounts within the…
- A company has an S3 bucket that receives uploads from multiple AWS accounts within the same organization. The company requires that the…
- A company has an S3 bucket that receives objects uploaded by an external partner from a different AWS account. The company wants to ensure…
- A company has an S3 bucket where multiple AWS accounts within the same AWS Organization upload data files. The bucket owner wants to ensure…
- A company in Account A wants to share an Amazon S3 bucket with users in Account B. The company uses the default S3 Object Ownership setting…
- A company allows a partner organization in a different AWS account to upload files to an S3 bucket. The company has noticed that after…
- A company has an S3 bucket that receives data uploads from multiple AWS accounts within its organization. The company wants to simplify…
- Org-level S3 Block Public Access overrides account and bucket settings
S3 Block Public Access enforced at the AWS Organizations root or OU propagates to every member account, including ones that join later, and overrides account- and bucket-level settings so a local admin can't switch it off. That central enforcement removes accidental public exposure as an option across the whole org. If one account legitimately needs a public bucket, the carve-out is made at the org by excluding that account, not by a local toggle.
Trap Telling a member-account admin to just toggle Block Public Access off locally: the org-level setting wins, so the carve-out has to happen at the organization, not the account.
7 questions test this
- A company wants to ensure that all S3 buckets across their organization cannot be made publicly accessible, even if individual bucket…
- A company has multiple AWS accounts within an AWS Organization. The security team wants to ensure that no S3 bucket in any member account…
- A security audit reveals that an S3 bucket has both a bucket policy that allows public read access and S3 Block Public Access enabled at…
- A company has enabled S3 Block Public Access at the organization level through AWS Organizations. A developer in one of the member accounts…
- A company wants to ensure that no S3 buckets across all AWS accounts in its organization can be made publicly accessible. The security team…
- A company uses Amazon S3 to store sensitive data. The company's security policy requires that all S3 buckets must never allow public access…
- A solutions architect is configuring security controls for S3 buckets across multiple AWS accounts within an AWS Organization. The…
- On high-traffic SSE-KMS buckets, enable S3 Bucket Keys to cut KMS costs ~99%
On a high-traffic SSE-KMS bucket, enable S3 Bucket Keys: KMS hands S3 a short-lived bucket-level key from which S3 derives the per-object data keys itself, collapsing many per-object KMS calls into far fewer, cutting KMS request charges by up to ~99%. There's no security trade-off, because every object is still encrypted under your customer managed key; you've only changed how often S3 has to call KMS.
Trap Switching from SSE-KMS to SSE-S3 just to dodge per-request KMS charges: that throws away the customer-managed-key control, whereas Bucket Keys cut the cost while keeping the CMK.
6 questions test this
- A company stores sensitive data in an S3 bucket encrypted with SSE-KMS using a customer managed key. The bucket receives millions of PUT…
- A solutions architect needs to reduce AWS KMS costs for an Amazon S3 bucket that stores millions of objects encrypted with SSE-KMS. The…
- A solutions architect must configure default encryption for an Amazon S3 bucket using SSE-KMS with a customer managed key. The bucket will…
- A company is experiencing high AWS KMS costs due to a large volume of S3 GET and PUT requests on buckets encrypted with SSE-KMS using…
- A company is migrating workloads to AWS and plans to store data in Amazon S3 using server-side encryption with AWS KMS customer managed…
- A company uses Amazon S3 with SSE-KMS encryption for its data lake. The data lake contains billions of objects that are frequently accessed…
- Cross-account KMS access needs both a key policy and an IAM policy
Cross-account use of a customer managed KMS key takes consent from both sides: the key policy in the owning account must grant the external account or principal, and an IAM policy in the external account must allow those principals to use that specific key ARN. The key policy decides who may have access and the IAM policy decides who actually does. Both have to line up, so neither alone authorizes the call.
Trap Setting only the key policy as you would for same-account access. Cross-account principals also need an explicit IAM allow on the key ARN, or the call still fails.
8 questions test this
- A company has two AWS accounts: Account A (111122223333) for production workloads and Account B (444455556666) for analytics. The analytics…
- A company is configuring cross-account access to an AWS KMS customer managed key. The key exists in Account A and must be used by an…
- A company has an S3 bucket that stores sensitive financial data encrypted with SSE-KMS using a customer managed key. A partner company in a…
- A company needs to allow an application running in Account B to decrypt data that was encrypted using a customer managed key stored in…
- A company has multiple AWS accounts managed through AWS Organizations. A central security account contains customer managed AWS KMS keys…
- A company uses AWS KMS customer managed keys to encrypt data stored in Amazon S3 buckets. A development team in a different AWS account…
- A company uses Amazon EBS volumes encrypted with customer managed KMS keys for its production EC2 instances. The company wants to share…
- A company manages secrets in a centralized AWS account and needs to share database credentials with applications running in multiple…
- Changing default encryption doesn't touch existing objects: re-encrypt with S3 Batch Operations
Updating a bucket's default encryption is forward-looking only: it applies to newly uploaded objects while everything already stored keeps its original encryption, so flipping the setting alone never re-keys old data. To re-encrypt objects already in the bucket (even billions) under a new SSE-KMS customer managed key, run S3 Batch Operations with the Copy operation, copying objects back into the same bucket with the new encryption, which rewrites each object under the new key.
Trap Assuming flipping the bucket's default encryption re-encrypts what's already stored: it's forward-looking only, so old objects stay on the old key until you copy them.
4 questions test this
- A company has an existing S3 bucket containing millions of objects encrypted with SSE-S3. Due to new compliance requirements, the company…
- A company changed its S3 bucket default encryption from SSE-S3 to SSE-KMS with a customer managed key for compliance requirements. The…
- A company recently configured an S3 bucket to use SSE-KMS with a customer managed key as the default encryption. The bucket already…
- A company is migrating an existing S3 bucket from SSE-S3 to SSE-KMS encryption with a customer managed key to meet new compliance…
- KMS keys are Regional, so cross-Region replicas need a key in the target Region
A KMS key is a Regional resource and can't be invoked from another Region, so any cross-Region encrypted copy needs its own key in the destination Region. An encrypted cross-Region RDS read replica must be given a customer managed (or AWS managed) key that exists in the target Region, and an S3 bucket can only use a same-Region KMS key for SSE-KMS. The encryption key always has to be local to the data.
Trap Pointing the destination Region at the source key's ARN: KMS won't resolve it across Regions, so the replica creation fails until a key exists locally.
4 questions test this
- A solutions architect is implementing encryption at rest for Amazon RDS databases in a multi-Region disaster recovery architecture. The…
- A company operates an Amazon RDS for MySQL database in the us-east-1 Region encrypted with a customer managed AWS KMS key. The company…
- A company has configured an Amazon S3 bucket in the us-east-1 Region with SSE-KMS using a customer managed key. A solutions architect…
- A company is setting up an Amazon RDS for MySQL database with a read replica in a different AWS Region for disaster recovery. The primary…
- Run org-wide Macie from a delegated security account, not the management account
In AWS Organizations the management account designates a dedicated security account as the Macie delegated administrator, and that account is where you enable Macie across members, run org-wide discovery jobs, and aggregate findings centrally. Delegating this out of the management account keeps day-to-day security operations (and their blast radius) away from the most privileged account in the org. Automated sensitive data discovery then samples objects to score each bucket's sensitivity cost-efficiently.
Trap Operating Macie straight from the Organizations management account: AWS guidance is to delegate to a separate security account to limit management-account exposure and blast radius.
6 questions test this
- A solutions architect is setting up Amazon Macie for a large enterprise with over 200 AWS accounts managed through AWS Organizations. The…
- A company stores customer data in Amazon S3 buckets across multiple AWS accounts. The security team must discover and classify sensitive…
- A company stores customer data in Amazon S3 buckets across multiple AWS accounts in an AWS Organizations structure. The security team needs…
- A media company has enabled Amazon Macie to monitor sensitive data across their Amazon S3 environment. They want to continuously evaluate…
- A company stores customer data across hundreds of Amazon S3 buckets in multiple AWS accounts managed by AWS Organizations. The security…
- A company is deploying Amazon Macie across an AWS Organizations structure with 50 member accounts. The security operations team in the…
- For CloudFront HTTPS with a custom cert, use free SNI SSL, not Dedicated IP
For CloudFront HTTPS with your custom certificate, use SNI (Server Name Indication) SSL, which lets one IP present the right cert per hostname and carries no extra monthly charge. Every browser released after 2010 supports it, so it's the right default for essentially all modern traffic. Dedicated IP SSL exists only for the rare legacy client that can't do SNI, and it adds a per-distribution monthly fee, so you pick it for compatibility, never for robustness.
Trap Picking Dedicated IP SSL to look more robust: it just adds per-distribution monthly cost, whereas SNI is the default and works for every modern browser.
6 questions test this
- A company is configuring a CloudFront distribution with a custom domain name and needs to enable HTTPS using an ACM certificate. The…
- A company is configuring Amazon CloudFront with a custom SSL/TLS certificate for alternate domain names. The company wants to minimize…
- A media company operates a CloudFront distribution serving video content over HTTPS. The company wants to enforce TLS 1.2 as the minimum…
- A company has an Amazon CloudFront distribution with a custom domain name and an ACM certificate. The company wants to enforce HTTPS…
- A solutions architect is configuring an Amazon CloudFront distribution with a custom SSL/TLS certificate from AWS Certificate Manager…
- A company is configuring Amazon CloudFront to use a custom domain name with HTTPS. The solutions architect needs to choose between SNI…
- To encrypt CloudFront-to-origin, set Origin Protocol Policy to HTTPS Only with min TLS 1.2
To encrypt the leg between CloudFront and a custom origin, set the Origin Protocol Policy to HTTPS Only with a minimum origin SSL protocol of TLSv1.2, forcing every origin fetch onto modern TLS. Once HTTPS Only is on, CloudFront validates the origin's certificate and returns HTTP 502 (Bad Gateway) if it's self-signed or otherwise untrusted, so the origin must present a certificate signed by a trusted CA for the connection to succeed.
Trap Leaving a self-signed cert on the origin under HTTPS Only and then blaming the 502 on CloudFront. CloudFront refuses untrusted origin certs, so it needs a CA-signed certificate.
3 questions test this
- A company uses Amazon CloudFront to deliver content from an Application Load Balancer origin. The security team requires that all…
- A company wants to ensure encrypted communication between Amazon CloudFront and its custom origin server running on Amazon EC2 instances…
- A company is deploying an Amazon CloudFront distribution with a custom origin server running on Amazon EC2. The company needs to enforce…
- SSE-KMS needs kms:GenerateDataKey to upload and kms:Decrypt to download
SSE-KMS splits the two directions across two permissions: uploading makes S3 ask KMS to generate a data key, needing
kms:GenerateDataKey, while downloading makes S3 decrypt that data key, needingkms:Decrypt. An app that both reads and writes must hold both, because a policy missing either one fails only the matching S3 operation with AccessDenied while the other keeps working, which is what makes the gap confusing to diagnose.Trap Granting only
kms:Decryptjust because the app reads objects: uploads will then fail with AccessDenied, since writing SSE-KMS objects requireskms:GenerateDataKey.5 questions test this
- A company needs to implement server-side encryption for sensitive data stored in Amazon S3 using AWS KMS customer managed keys. Application…
- A company stores sensitive customer data in an Amazon S3 bucket and uses server-side encryption with AWS KMS customer managed keys…
- A company stores sensitive financial data in Amazon S3 and requires strict control over encryption keys. The security team wants to use…
- A solutions architect is configuring an IAM role that will be used by an application to read and write objects to an S3 bucket encrypted…
- A company's application uploads large files to an Amazon S3 bucket using multipart upload. The bucket is configured with default encryption…
- Cross-account secret access needs a secret resource policy and the KMS key policy
Cross-account reads of a Secrets Manager secret require two grants together: a resource-based policy on the secret allowing
secretsmanager:GetSecretValue, and a policy on the encrypting KMS key allowingkms:Decrypt, because retrieving the secret means decrypting it. This is why the defaultaws/secretsmanagerkey doesn't work cross-account: its key policy is immutable and can't be edited to admit the other account, so cross-account access forces you onto a customer managed key.Trap Encrypting the secret with the default
aws/secretsmanagerkey and expecting cross-account access: its key policy can't be edited to grant the other account, so you have to use a customer managed key.4 questions test this
- A financial services company has a central security account that stores database credentials for Amazon RDS instances running in multiple…
- A security team manages secrets centrally in one AWS account. Applications running in several other AWS accounts must retrieve a shared…
- A company manages secrets in a centralized AWS account and needs to share database credentials with applications running in multiple…
- Applications running in several different AWS accounts all need to use the same set of database credentials. A solutions architect must…
- Scope a rotation Lambda's KMS decrypt to one secret with kms:EncryptionContext:SecretARN
A rotation Lambda for a secret encrypted with a customer managed key needs
kms:Decrypton that key, but granting it plainly lets it decrypt every secret sharing the key. Add a condition onkms:EncryptionContext:SecretARNand the decrypt permission is confined to the one secret it's meant to rotate: least privilege in action, since the encryption context is bound to the secret's ARN and KMS only allows the decrypt when that context matches.Trap Granting the rotation function plain
kms:Decrypton the shared key: it can then decrypt every secret encrypted with that key, so the SecretARN encryption-context condition is what confines it.- Restrict what flows through a VPC endpoint with an endpoint policy
An Interface or Gateway endpoint can carry its own endpoint policy[23] that limits which API actions and resources may pass through it, for example an S3 Gateway endpoint scoped to permit
s3:GetObjecton your buckets only and deny everything else routed through it. It's a filter on the path, not a grant of access, so it's an extra constraint evaluated alongside the principal's IAM and the bucket policy rather than replacing them.Trap Assuming an endpoint policy grants access on its own: it only filters what the endpoint permits, so the principal still needs IAM and bucket permissions, and the two are evaluated together.
Design Resilient Architectures
Scalable and Loosely Coupled Architectures
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Highly Available and Fault-Tolerant Architectures
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Multi-AZ keeps you up inside a region; Multi-Region survives losing the whole region
Multi-AZ delivers in-region high availability: you spread stateless tiers across at least 2 AZs behind a load balancer, and
RDSMulti-AZ adds a synchronous standby in another AZ that takes over in 60-120 s. Together that survives any single AZ going down without losing data. Multi-Region is a far bigger commitment, bringing real latency, cost, and replication complexity, so reach for it only when losing an entire region is actually in your threat model. Most availability requirements are satisfied by Multi-AZ; Multi-Region is for regional disaster recovery, not everyday uptime.Trap Treating Multi-AZ as disaster recovery. It covers you when one AZ goes down, not when the whole region does.
3 questions test this
- A company is designing a highly available architecture for a web application using an Application Load Balancer (ALB). The ALB must be…
- A company operates a stateless web application on an Auto Scaling group with instances in a single Availability Zone. The company wants to…
- A company is designing a highly available web application that will run on Amazon EC2 instances behind an Application Load Balancer. The…
- Pick the cheapest DR strategy that still meets the RTO/RPO you were given
The four canonical DR strategies trade cost against recovery speed in lockstep: backup-and-restore recovers in hours and costs the least, pilot-light in minutes to hours, warm-standby in minutes, and multi-site active-active in near-zero time at the highest cost. Because faster recovery always costs more, pin down the RTO (how fast you must be back) and RPO (how much data you can lose) the requirement actually demands, then take the least expensive option that clears both. Overshooting the requirement just burns money on recovery speed nobody asked for.
Trap Reaching for active-active just because its recovery numbers are best: it's also the priciest, so it's the wrong call whenever a looser RTO/RPO would do.
- The default stateless tier is an ASG across at least 2 AZs behind an ELB with health checks
The default stateless tier is an Auto Scaling Group spread over at least 2 AZs behind an
ALBorNLB, with health checks on the target group, so an unhealthy instance is drained and automatically replaced and an AZ failure just shifts load to the survivors. The ASG's min/max/desired values set the capacity bounds, and target-tracking or step scaling policies move desired capacity in response to demand. This combination (redundancy across AZs plus self-healing plus elasticity) is the baseline almost every stateless web tier should start from.Trap Placing the Auto Scaling Group in a single AZ: spreading instances within one zone gives no protection when that AZ fails; the baseline spans at least two.
18 questions test this
- A solutions architect is designing a fault-tolerant architecture for a stateless application running on EC2 instances in an Auto Scaling…
- A company runs an application on EC2 instances in an Auto Scaling group that is attached to an Application Load Balancer target group. The…
- A company has an Auto Scaling group with EC2 instances distributed across two Availability Zones behind an Application Load Balancer. The…
- A company runs a stateless customer-facing web application on a single Amazon EC2 instance in one Availability Zone. The application stores…
- A solutions architect is designing the presentation tier of a new web application. The tier is fully stateless because all user state is…
- A company runs a web application on an Auto Scaling group of EC2 instances behind an Application Load Balancer (ALB). The group spans three…
- A company operates a critical application using Amazon EC2 instances in an Auto Scaling group. The Auto Scaling group spans three…
- A company runs a mission-critical web application on Amazon EC2 instances managed by an Auto Scaling group. An Application Load Balancer…
- A company runs a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The Auto…
- A company runs an internal, stateless web portal on two EC2 instances in two Availability Zones. One instance actively serves traffic while…
- A retailer operates a stateless web front end on Amazon EC2 instances. The instances are registered directly as targets behind an…
- A company runs a stateless ecommerce web tier on one large Amazon EC2 instance. To keep up with growth, the company has repeatedly…
- A company operates an e-commerce platform on Amazon EC2 instances in an Auto Scaling group that spans three Availability Zones. The…
- A company is launching a stateless HTTP-based web application that must remain available during the failure of any single Availability…
- A company wants to deploy a new stateless public web application that must tolerate the failure of a single Availability Zone and scale…
- A financial services company runs a critical web application on Amazon EC2 instances in an Auto Scaling group across three Availability…
- A company runs an application on EC2 instances in an Auto Scaling group behind an Application Load Balancer. The Auto Scaling group uses…
- A startup serves a stateless HTTP web application from three EC2 instances spread across three Availability Zones. The startup uses Amazon…
- Match the Route 53 routing policy to what you're actually trying to do
Route 53offers seven routing policies, each encoding a different intent, so match the policy to what you're trying to do. Simple returns one answer; Weighted splits traffic by proportion for A/B or gradual rollout; Latency sends users to the region with the lowest response time; Failover does active/passive via a health check; Geolocation routes by the user's country (compliance or localized content); Geoproximity routes by geographic distance with a bias knob to expand or shrink a region's pull; and Multi-value does DNS-level load balancing across healthy answers. Reading the requirement for its underlying intent tells you which to pick.Trap Using Geolocation to send people to the lowest-latency region: Geolocation routes by where the user is, while Latency routing is the one that optimizes for response time.
11 questions test this
- A company runs a customer-facing application from deployments in three AWS Regions. All three deployments are active and serve live…
- A gaming company serves players from deployments in multiple AWS Regions and currently routes each player to the geographically closest…
- A software company deploys an API in two AWS Regions, one in the United States and one in Europe. Customers worldwide report inconsistent…
- A company operates web servers across three Availability Zones in a single AWS Region. The company wants Route 53 to return the IP…
- A company operates a multi-region application with resources in us-east-1 and eu-west-1. During a recent outage, both the primary and…
- A company operates a global web application with resources in three AWS Regions. The company wants to implement DNS-based load balancing…
- A company operates a global application with resources in four AWS Regions. The company uses Route 53 with latency-based routing to direct…
- A financial services company must comply with data residency regulations that require users located in Germany to be served only by the…
- A company runs a fleet of web servers, each with its own public IP address, and the servers do not sit behind a load balancer. The company…
- A company is migrating its public website from an on-premises data center to AWS. The team wants to validate the AWS deployment by…
- A company operates a globally distributed application with resources in us-east-1 us-west-2 and eu-west-1. The company wants to implement…
- RDS Multi-AZ failover flips DNS over to the standby in about 60-120 s
RDS Multi-AZ automatic failover[1] repoints the database's DNS endpoint at the standby, so a client that cached the old DNS entry sees roughly 60-120 s of errors and must reconnect once its connection drops. Design clients to reconnect rather than assume the address is stable. Multi-AZ is purely an availability feature, not a scaling one: the standby is not readable while it stands by. To offload read traffic rather than survive an AZ failure, that's a separate feature, Read Replicas[13].
Trap Pointing read traffic at the Multi-AZ standby to take load off the primary: the standby serves no reads, so you need a Read Replica for that.
4 questions test this
- A company runs a production MySQL database on Amazon RDS. The database experiences heavy read traffic during business hours and requires…
- A solutions architect finds that a team created a read replica of an Amazon RDS for MariaDB instance expecting it to take over…
- A company runs a production MySQL database on Amazon RDS with Multi-AZ deployment in a single AWS Region. The company's Java application is…
- A financial services company runs a transactional application that uses a single-AZ Amazon RDS for PostgreSQL DB instance. The business…
- For cross-region RPO under a second, use Aurora Global Database
When you need cross-region RPO under a second, reach for Aurora Global Database[2]: it replicates from a primary region to secondaries over a dedicated, purpose-built network, which is why RPO is typically under a second and failover RTO is around a minute via managed promotion. Secondary regions are read-only, good for serving low-latency reads close to users, but any one can be promoted to a writer when you need to fail the whole workload over. That managed, sub-second cross-region replication is a large step up from hand-wiring cross-region read replicas yourself.
Trap Hand-wiring cross-region read replicas for sub-second cross-region RPO: they lag more and lack the one-click managed promotion Aurora Global Database is built for.
- Route 53 health checks default to a 30 s interval and 3 failures before unhealthy
Route 53 health checks default to a 30 s interval[14] with both the healthy and unhealthy thresholds at 3, so by default an endpoint must fail three consecutive checks before Route 53 marks it unhealthy and stops returning it. To fail over faster you can drop to a 10 s interval, which costs extra, and 'calculated' health checks combine several endpoint checks with AND/OR logic for a more nuanced healthy condition. Tune the interval and thresholds to balance failover speed against false positives from a single transient blip.
5 questions test this
- A company uses Amazon Route 53 to manage DNS for a multi-tier application deployed across three Availability Zones. Each tier has multiple…
- A healthcare company operates a patient portal that consists of a web application, an API layer, and a database. The company uses Amazon…
- A company has a multi-tier web application with web servers distributed across three Availability Zones. The company uses Route 53 to route…
- A financial services company runs trading applications across two AWS Regions with Application Load Balancers in each Region. The company's…
- A company operates a microservices application with five backend services distributed across multiple EC2 instances. The company wants to…
- Use the ELB health check type, not EC2, so you catch app-layer failures
ASG
HealthCheckType=EC2[15] only replaces instances the EC2 host itself flags as unhealthy. That catches hardware and hypervisor faults but not a wedged application, since a crashed app on a healthy host still passes the EC2 check. Switch toHealthCheckType=ELBand the ASG also replaces any instance that fails the load balancer's health check, catching application-layer failures like a hung process or a 500-returning endpoint. That's the setting you want in production, where 'the box is up but the app is dead' is the failure that actually hurts.Trap Leaving the ASG on the default
EC2health check expecting it to recycle instances whose app has crashed. A hung process on healthy hardware still reports healthy and never gets replaced.10 questions test this
- A solutions architect is designing a fault-tolerant architecture for a stateless application running on EC2 instances in an Auto Scaling…
- A company runs an application on EC2 instances in an Auto Scaling group that is attached to an Application Load Balancer target group. The…
- A company has an Auto Scaling group with EC2 instances distributed across two Availability Zones behind an Application Load Balancer. The…
- A company runs a web application on an Auto Scaling group of EC2 instances behind an Application Load Balancer (ALB). The group spans three…
- A company operates a critical application using Amazon EC2 instances in an Auto Scaling group. The Auto Scaling group spans three…
- A company runs a mission-critical web application on Amazon EC2 instances managed by an Auto Scaling group. An Application Load Balancer…
- A company runs a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The Auto…
- A company operates an e-commerce platform on Amazon EC2 instances in an Auto Scaling group that spans three Availability Zones. The…
- A financial services company runs a critical web application on Amazon EC2 instances in an Auto Scaling group across three Availability…
- A company runs a critical web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The Auto…
- S3 CRR replicates new objects asynchronously, filtered by prefix or tag
S3 Cross-Region Replication copies new objects[4] from the source bucket to a destination bucket in another region asynchronously, usually within seconds, and you can scope it to just the objects matching a prefix or tag instead of the whole bucket. Versioning must be enabled on both buckets because replication tracks object versions. The key limitation is that CRR is forward-looking only: it acts on objects written after you turn it on, so anything that already existed needs a one-time S3 Batch Replication job to backfill.
Trap Assuming objects that were already there before you enabled CRR get copied: replication only touches objects written afterward, so the older ones need S3 Batch Replication.
8 questions test this
- A company has been using Amazon S3 Cross-Region Replication to replicate data from us-west-2 to eu-central-1 for several months. The…
- A company stores product images in an Amazon S3 bucket in the us-east-1 Region. The company is launching a service in Europe and wants…
- A company has been using Amazon S3 for several years and recently enabled S3 Cross-Region Replication on an existing bucket containing 5 TB…
- A company stores critical financial data in an Amazon S3 bucket in the us-east-1 Region. The company must replicate this data to a bucket…
- A company stores critical application data in an Amazon S3 bucket in the us-east-1 Region. The company needs to implement a disaster…
- A healthcare company stores patient records in an Amazon S3 bucket in us-east-1. The company's compliance team requires that a copy of all…
- A multinational company uses Amazon S3 Multi-Region Access Points to serve content from buckets in us-east-1 and eu-west-1. The company…
- A company has configured S3 Cross-Region Replication from a source bucket in eu-west-1 to a destination bucket in us-west-2. After…
- Centralize backups across services and accounts with AWS Backup
AWS Backup centralizes backups across services and accounts: you define backup plans and resource selections[8] once and apply them across many services (
RDS,DynamoDB,EFS,EBS,FSx, Storage Gateway and more) including cross-region and cross-account copies for DR, rather than configuring backups service by service. That central plane makes consistent retention and scheduling manageable at scale. To prove compliance or guarantee immutability, Backup Audit Manager reports on policy adherence and Backup Vault Lock enforces write-once retention that even an admin can't shorten.- Route 53 failover only serves the secondary if the PRIMARY has a health check
Route 53 active/passive failover routing[16] watches a health check on the primary record: while the primary is healthy Route 53 returns it, and only when that check fails does it serve the secondary. The health check therefore has to live on the primary record, because that's the signal that tells Route 53 it's time to fail away. Leave the primary without a health check and Route 53 has nothing to react to, so it keeps returning the primary forever even when the primary is down.
Trap Attaching the health check to the secondary record and expecting failover: it has to be on the primary, or Route 53 never fails away from it.
5 questions test this
- A company runs a web application on Amazon EC2 instances behind an Application Load Balancer in the us-east-1 Region. The company wants to…
- A company runs a web application with the primary deployment in us-east-1 and a standby deployment in us-west-2 for disaster recovery. The…
- A company runs a mission-critical web application on Amazon EC2 instances behind an Application Load Balancer in the us-east-1 Region. To…
- A media streaming company has deployed its application in the us-west-2 Region with an Application Load Balancer. The company is…
- A company runs a dynamic web application on Amazon EC2 instances behind an Application Load Balancer in a single Region. The company wants…
- Set the ASG health check grace period to at least your app's startup time
The ASG health check grace period tells Auto Scaling how long to wait after a new instance reaches InService before it begins evaluating that instance's health, which exists because an app needs time to boot before it can pass checks. Set it to at least how long your application takes to start: if the grace period is shorter, the ELB health checks fail while the app is still coming up, the ASG concludes the instance is bad and terminates it, and you fall into a loop of launching and killing instances that never get a chance to go healthy. Sizing the grace period to real startup time breaks that churn.
14 questions test this
- A company deploys a web application on Amazon EC2 instances in an Auto Scaling group with an Application Load Balancer. The instances…
- A company runs an application on EC2 instances in an Auto Scaling group that is attached to an Application Load Balancer target group. The…
- A company runs a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application…
- A company is deploying a new web application using Amazon EC2 instances in an Auto Scaling group with an Application Load Balancer. The…
- A company hosts an e-commerce application on Amazon EC2 instances in an Auto Scaling group attached to an Application Load Balancer.…
- A company runs a web application on an Auto Scaling group of EC2 instances behind an Application Load Balancer (ALB). The group spans three…
- A company runs a mission-critical web application on Amazon EC2 instances managed by an Auto Scaling group. An Application Load Balancer…
- A company is deploying a new application on EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application…
- A company deploys a web application on EC2 instances in an Auto Scaling group across multiple Availability Zones. After deployment, new…
- A company runs a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application…
- A solutions architect is configuring an Auto Scaling group for a web application that runs behind an Application Load Balancer. The…
- A company runs a web application behind an Application Load Balancer with an Auto Scaling group spanning three Availability Zones. The…
- A company runs a three-tier web application with an Auto Scaling group of EC2 instances behind an Application Load Balancer. The Auto…
- A company is deploying an application with an Auto Scaling group behind an Application Load Balancer. The application requires a warm-up…
- Set the ALB deregistration delay to at least your longest request so targets drain cleanly
The ALB deregistration (connection-draining) delay, default 300 s, configurable from 0 to 3600 s, is how long the ALB waits before it finishes removing a target during scale-in: it immediately stops sending new requests to the removed target but holds off completing removal until the delay elapses. That window lets in-flight requests complete gracefully. Set the delay to at least your longest expected request time so long-running responses finish instead of being severed mid-flight, which would otherwise hand clients an HTTP 5xx during an ordinary scale-in or deployment.
Trap Setting the deregistration delay to 0 (or under your longest request) just to scale in faster: long in-flight requests get cut off and clients see 5xx errors.
7 questions test this
- A company runs an e-commerce application on Amazon EC2 instances in an Auto Scaling group attached to an Application Load Balancer. During…
- A company runs a web application with an Auto Scaling group behind an Application Load Balancer. The application processes long-running…
- An e-commerce company operates a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The…
- A company runs a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. During scale-in…
- A company operates a web application with variable traffic patterns. The application runs on EC2 instances in an Auto Scaling group across…
- A company has an e-commerce application running on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer.…
- A company runs an e-commerce application on EC2 instances in an Auto Scaling group behind an Application Load Balancer. During scale-in…
- Use ALB slow start to warm up targets you've just registered
ALB slow start gradually ramps a freshly registered target's share of requests up to its full proportion over a window you choose, anywhere from 30 to 900 s, instead of hitting it with full traffic the instant it's healthy. Reach for it when an instance needs to warm up before it can perform (just-in-time cache warming, loading a large dataset into memory, or JIT compilation kicking in). During the ramp the target takes a smaller slice while it gets up to speed, so users don't pay for its cold-start latency, and once warm it joins normal balancing.
Trap Expecting connection draining (the deregistration delay) to ease a new target in: draining handles de-registration; slow start is what ramps a freshly registered target up.
7 questions test this
- A company has a web application that requires time to warm up its caches before handling production traffic at full capacity. The…
- A solutions architect is optimizing an Auto Scaling configuration for an e-commerce application. The application runs on EC2 instances…
- A company deploys a web application that requires caching of application data before it can respond to requests with optimal performance.…
- A company runs an e-commerce application on Amazon EC2 instances behind an Application Load Balancer. The instances are in an Auto Scaling…
- A company operates a Java-based application on Amazon EC2 instances behind an Application Load Balancer. The application performs JIT…
- A company deploys a new version of its web application that requires a warm-up period of 60 seconds to populate local caches before it can…
- A company is deploying an application with an Auto Scaling group behind an Application Load Balancer. The application requires a warm-up…
- ALB cross-zone load balancing is always on at the LB; you can only turn it off per target group
ALB cross-zone load balancing is always enabled at the load balancer level with no switch to disable it there. The only place you can turn it off is per target group, which overrides the LB default for that group. While it's on, every LB node spreads traffic evenly across all registered targets in every enabled AZ, so an AZ with fewer targets still gets its fair share rather than overloading its handful of instances. This even spreading is why ALB defaults it on, whereas an NLB leaves it off by default and lets you toggle it at the LB.
Trap Trying to disable cross-zone balancing at the ALB level the way you can on an NLB: for an ALB it's fixed on at the LB, and the target group is the only place you can change it.
4 questions test this
- A company runs a web application on Amazon EC2 instances in an Auto Scaling group across three Availability Zones. The instances are…
- A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are distributed across…
- A company runs a mission-critical web application behind an Application Load Balancer (ALB) deployed across three Availability Zones in a…
- A company hosts a critical application on Amazon EC2 instances in an Auto Scaling group that is attached to an Application Load Balancer…
- An NLB gives you one static IP per AZ, and you can add Elastic IPs for fixed addresses
An NLB automatically provisions one static IP per enabled AZ, and for internet-facing NLBs you can assign your own Elastic IP per AZ, giving clients fixed addresses they can allowlist in downstream firewalls. It operates at Layer 4 (TCP/UDP), delivers ultra-low latency, and preserves the client's source IP by default, which matters when the backend needs to see who's actually connecting. Choose the NLB over an ALB whenever a stable IP or raw L4 performance is the requirement, since the ALB gives you neither.
Trap Expecting an ALB to give you a static IP for firewall allowlisting: ALB IPs are dynamic, and only the NLB offers per-AZ static / Elastic IPs.
6 questions test this
- A financial services company requires a highly available architecture for a trading application that needs extremely low latency and must…
- A company is deploying a new application that requires static IP addresses for client whitelisting purposes. The application must be highly…
- A financial services company is deploying a TCP-based trading application that requires static IP addresses for firewall allowlisting by…
- A financial services company requires static IP addresses for its trading application to allow clients to whitelist specific IP addresses…
- A financial services company requires a load balancing solution for their trading application that needs static IP addresses for client…
- A company is migrating a legacy TCP-based application to AWS. The application requires that the client source IP address be preserved for…
- Latency routing plus Evaluate Target Health gives you active-active multi-region failover
Set Evaluate Target Health to Yes on latency-based records to get active-active multi-region failover: while everything's healthy every region serves its own lowest-latency traffic, and the moment a region's resources turn unhealthy Route 53 stops routing users there and they fall to the next-closest healthy region. ETH is what makes the health of the underlying resources actually drive DNS: without it, latency routing keeps sending users to the nearest region even after it's down. If you've layered latency over weighted records, turning ETH on at the top-level alias means Route 53 calls a region unhealthy only once all its underlying weighted records have failed.
Trap Leaving Evaluate Target Health off on latency records: Route 53 will keep sending users to the nearest region even after its endpoints are down.
11 questions test this
- A company has deployed identical applications on Amazon EC2 instances behind Application Load Balancers in both the us-west-2 and eu-west-1…
- A solutions architect is designing a multi-region architecture for a critical application. The primary region has weighted routing records…
- A company operates a global e-commerce platform with Application Load Balancers deployed in three AWS Regions: us-east-1, eu-west-1, and…
- A company hosts an e-commerce application across two AWS Regions in an active-active configuration. The application uses Application Load…
- A company has deployed its application in two AWS Regions with an Application Load Balancer in each region. The company wants to implement…
- A company operates an e-commerce application across two AWS Regions with Application Load Balancers in both us-west-2 and us-east-1. The…
- A company operates a global e-commerce platform deployed across three AWS Regions: us-east-1, eu-west-1, and ap-southeast-1. The company…
- A company has deployed Application Load Balancers in three AWS Regions to serve global customers. The company wants Route 53 to distribute…
- A media company serves a global audience from application deployments in several AWS Regions and wants users routed to the Region that…
- A company has an e-commerce application running on Amazon EC2 instances behind Application Load Balancers in two AWS Regions. The company…
- A company deploys its application across three AWS Regions to provide global availability. The company wants Route 53 to route users to the…
- Roll up many endpoint checks with a Route 53 calculated health check
A Route 53 calculated health check doesn't probe an endpoint itself; it watches a set of child health checks and reports healthy as long as the number of healthy children meets a threshold you define. That lets you express a quorum-style condition (stay healthy as long as at least 2 of 6 servers are up) so DNS failover fires only when a meaningful chunk of capacity is gone rather than overreacting to any single endpoint blipping out. It's the tool for turning many individual checks into one aggregate health signal.
5 questions test this
- A company uses Amazon Route 53 to manage DNS for a multi-tier application deployed across three Availability Zones. Each tier has multiple…
- A solutions architect is designing a multi-tier application that spans three AWS Regions. The application has web servers in each region,…
- A healthcare company operates a patient portal that consists of a web application, an API layer, and a database. The company uses Amazon…
- A company has a multi-tier web application with web servers distributed across three Availability Zones. The company uses Route 53 to route…
- A company operates a microservices application with five backend services distributed across multiple EC2 instances. The company wants to…
- Weighted records plus health checks already give you active-active failover
Weighted records with health checks already give you active-active failover: you don't need the dedicated Failover policy, since any routing policy other than Failover becomes active-active once you attach health checks to its records. With weighted records, Route 53 splits traffic by the configured weights while everything's healthy, then drops any record whose health check fails and redistributes its share among the remaining healthy records. A record set to weight zero acts as a pure standby: it receives no traffic until every nonzero-weight record has gone unhealthy, at which point Route 53 falls back to it.
Trap Assuming you need the Failover policy to get failover: any non-Failover policy with health checks attached already drops unhealthy records on its own.
5 questions test this
- A solutions architect needs to design a highly available architecture for a global application. The application runs in two AWS Regions…
- A company operates a global e-commerce platform with deployments in us-east-1 and eu-west-1. The solutions architect needs to implement a…
- A solutions architect is designing a multi-region architecture with Amazon Route 53 health checks. The application runs on EC2 instances in…
- A company wants to implement a standby architecture using Amazon Route 53 weighted records. The primary resources should receive all…
- A company is designing an active-active architecture for its web application across us-east-1 and us-west-2 Regions. Both Regions should…
- Multi-tier DNS: latency alias to pick the region, weighted records within it
Multi-tier DNS nests routing policies for multi-region: latency alias records at the top choose the best region for each user, and each points at weighted records inside that region to spread traffic across local resources. Turn on Evaluate Target Health at the latency alias and health cascades up the tree: Route 53 counts a region healthy only when at least one of its weighted children is healthy, so a region with all children down is removed from latency routing automatically. Layering the policies this way optimizes region choice and in-region distribution at once.
Trap Leaving Evaluate Target Health off the latency alias: without it health doesn't cascade, and Route 53 keeps routing users to a region whose endpoints are all down.
- Aurora failover runs through priority tiers from 0 first to 15 last
Aurora failover runs through promotion priority tiers: every Aurora Replica carries a tier from 0 to 15, and when the writer fails Aurora promotes whichever available replica holds the lowest tier number (tier 0 first, tier 15 last). Use that to control which replica becomes the new writer: give tier 0 to your preferred standby, for example one whose instance class matches the primary so capacity doesn't drop on promotion, and push replicas reserved for analytics or reporting into higher tiers so they're promoted only as a last resort. Ties at the same tier are broken by the largest instance size.
Trap Reading a higher tier number as higher priority: tier 0 is promoted first, so the biggest number is promoted last.
3 questions test this
- A company uses an Amazon Aurora PostgreSQL DB cluster with one writer instance and three Aurora Replicas across three Availability Zones.…
- A company operates an Amazon Aurora MySQL cluster with one writer instance and three reader instances distributed across three Availability…
- A company has an Amazon Aurora MySQL cluster with one primary instance and three Aurora Replicas across three Availability Zones. The…
- Copy RDS snapshots cross-region or cross-account to seed your DR
RDS automatic snapshots are pinned to the region and account where they were taken and can't be moved directly, which makes them unsuitable on their own for cross-region or cross-account DR. Manual snapshots, or copies you make of an automatic one[17], can be copied cross-region (re-encrypted with a KMS key in the destination region) or shared cross-account, and that copied snapshot is exactly what seeds a pilot-light or warm-standby environment in the recovery region. So the DR-ready artifact is always a manual or copied snapshot, never the raw automatic one.
Trap Relying on automatic snapshots for cross-region DR: they can't be copied or shared directly, so you have to make a manual snapshot or copy first.
Design High-Performing Architectures
High-Performing and Scalable Storage
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
High-Performing and Elastic Compute
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
High-Performing Databases
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Pick the database engine by access pattern, not by data model
Database engine is chosen by how the data will be queried, not by the data model it superficially resembles, because the access pattern determines performance at scale. Use relational (
RDS,Aurora) for transactions, joins, and ad-hoc queries; key-value (DynamoDB) for predictable single-item reads and writes at any scale; document (DocumentDB) for JSON-shaped data; and search (OpenSearch) for full-text. For specialized shapes the purpose-built engines win outright.Timestreamfor time-series andNeptunefor graph traversal, because they index and store the data the way those queries actually walk it.Trap Forcing every workload onto a relational engine just because the data looks like rows: full-text search, graph traversal, and at-scale key-value lookups all underperform on RDS compared to the engine built for them.
- Scale reads with replicas; scale writes with sharding
Reads and writes scale by different mechanisms, so match the fix to the bottleneck. Read replicas multiply read throughput by serving queries off copies:
RDSgives up to 15 async Read Replicas per source, and Aurora Replicas go to 15 too but with typically <100 ms lag. Yet none absorb a single write. Because the single writer still caps write throughput, you scale writes by spreading them out: designDynamoDBpartition keys for high cardinality and lean on adaptive capacity, or shard a relational workload across multiple Aurora clusters by tenant or key.Trap Adding read replicas to fix a write bottleneck: they only absorb read traffic, so the single writer still caps how fast you can write.
- Default to Aurora unless you need stock RDS Oracle/SQL Server
Aurorais the default relational choice: wire-compatible with MySQL and PostgreSQL, it replaces RDS's single-volume storage with a distributed layer that keeps 6 copies across 3 AZs, fails over in under 30 s, and offers Aurora Serverless v2 for on-demand scaling. Its storage grows automatically[11] up to 256 TiB on current engine versions (128 TiB on older ones) with no manual resize, no downtime, and no provisioning, and because you pay only for what you use, dropping a table actually shrinks billed storage. Stay on stock RDS only when you specifically need the Oracle or SQL Server engine, which Aurora doesn't run.Trap Assuming you must pre-provision Aurora storage and resize it later like classic RDS: Aurora scales storage on its own, so that capacity planning is wasted effort.
- Need microsecond DynamoDB reads → put DAX in front
DAX[15] is a managed in-memory cache purpose-built for
DynamoDB, the answer when single-digit-millisecond reads aren't fast enough: it returns cached reads in microseconds while writes pass straight through DAX to the table. It's read-through and write-through/write-around, eventually consistent by default, runs inside your VPC, and speaks the DynamoDB API itself, so your application points at DAX and the code barely changes. That API compatibility sets it apart from a generic cache, where you'd write and maintain the caching logic yourself.Trap Reaching for ElastiCache to cache DynamoDB: DAX is the DynamoDB-native cache that speaks the same API, whereas ElastiCache leaves you to manage the cache-aside pattern yourself.
7 questions test this
- A company uses Amazon DynamoDB for an e-commerce application that displays product information. The application requires microsecond…
- A financial services company is building a real-time trading application that reads frequently accessed market data from Amazon DynamoDB.…
- A financial services company is deploying a customer-facing application that requires high availability. The application uses Amazon…
- A gaming company runs a social gaming application that uses Amazon DynamoDB to store player profiles. The application experiences heavy…
- A solutions architect is designing a product catalog application that uses Amazon DynamoDB. The application has a read-heavy workload where…
- A company is building a real-time gaming leaderboard application using Amazon DynamoDB. The application needs microsecond read latency to…
- A social media company has a DynamoDB table that stores user posts. The application writes approximately 50,000 new posts per second and…
- Aurora replicas lag <100 ms (often <10 ms) via shared storage
Aurora replicas stay far fresher than RDS async replicas because of how they replicate: they read directly from the shared distributed storage layer[11] the writer already persisted to, rather than replaying a shipped binary log. Removing the log-shipping pipeline entirely puts replica lag typically under 100 ms and often under 10 ms. You can run up to 15 of them, the reader endpoint load-balances across the set, and on writer failure a replica is promoted in roughly a minute.
4 questions test this
- A financial services company runs a customer-facing application that performs frequent read operations against an Amazon Aurora MySQL…
- A solutions architect is designing a high-throughput database solution using Amazon Aurora MySQL. The application requires that read…
- A company is migrating a read-heavy e-commerce application to AWS. The application must scale to handle sudden traffic spikes during…
- A company runs a high-traffic e-commerce application that uses Amazon Aurora MySQL as its database. The application experiences…
- DynamoDB throttling → fix the partition key cardinality first
DynamoDB throttling points first at partition key cardinality, because the table spreads its throughput across physical partitions by hashing that key. Adaptive capacity[16] automatically shifts capacity toward busy partitions and absorbs mild skew, but it can't rescue a low-cardinality key that funnels traffic onto one hot partition. Fix it at the source by choosing high-cardinality keys, UUIDs, hashes, or composite keys like
tenant#item, so reads and writes fan out evenly instead of concentrating.Trap Adding a GSI to relieve a hot partition: a GSI lets you query other attributes but does nothing for hot-key writes on the base table.
- ElastiCache: default to Redis unless you only need simple multi-threaded caching
Between the two ElastiCache engines, Redis[17] is the default because it's far more than a cache: rich data structures (lists, sets, sorted sets, streams, geo, hyperloglog), plus pub/sub, persistence, replication, cluster-mode sharding, and transactions. Memcached is deliberately minimal (plain multi-threaded key-value with auto-discovery, no persistence and no replication) which gives it an edge only on simple, horizontally-scaled caching of opaque values. So pick Memcached when multi-threaded simple caching is the whole requirement, Redis for anything needing those richer capabilities.
Trap Picking Memcached when the requirement calls for persistence, replication, or sorted-set/pub-sub features. It has none of those, so it simply can't satisfy them.
17 questions test this
- A company has a gaming application that maintains real-time leaderboards showing player rankings. The application needs to sort and…
- A global e-commerce company has web applications deployed in the us-east-1 and eu-west-1 Regions. The company uses Amazon ElastiCache for…
- A solutions architect is designing a caching layer to reduce database load for a high-traffic e-commerce application. The application runs…
- A company runs a high-traffic content management system that caches rendered HTML pages. The application requires a simple, multithreaded…
- A company runs a large-scale web application that caches frequently accessed database query results. The application generates simple…
- A company is deploying a new web application on Amazon EC2 instances behind an Application Load Balancer. The application requires session…
- A company is building a real-time gaming leaderboard application that needs to store and sort player scores. The application must support…
- A company has a legacy application that performs extensive database queries to retrieve product catalog data. The application uses a…
- A company runs a real-time gaming leaderboard application that requires microsecond latency for read operations. The application uses…
- A company is building a distributed web application that runs across multiple Amazon EC2 instances behind an Application Load Balancer. The…
- A gaming company wants to add a real-time leaderboard that ranks millions of players by score. Scores change constantly, and the…
- A company is migrating a web application to AWS. The application stores user session data that must persist across application restarts.…
- A company is migrating a web application to AWS. The application stores user session data that must survive node failures to prevent users…
- A company runs a high-traffic web application that caches database query results using Amazon ElastiCache for Redis. The application…
- A company operates a multi-tier web application that experiences variable traffic patterns throughout the day. The application caches…
- A financial services company is migrating an application to AWS that requires storing user session data with strict compliance…
- A gaming company needs to implement a real-time leaderboard that tracks player scores for millions of concurrent users. The leaderboard…
- Need DynamoDB change-data-capture → enable DynamoDB Streams
DynamoDB Streams[18] is DynamoDB's built-in change-data-capture feed, the way to react to every insert, update, and delete: it captures each as an ordered, per-item sequence of stream records, with 4 view types (KEYS_ONLY, NEW_IMAGE, OLD_IMAGE, NEW_AND_OLD_IMAGES) so you choose how much of the before/after image you receive. The usual consumer is
Lambda, which reacts to each change and fans it out downstream, and the same stream mechanism powers Global Tables' cross-region replication under the hood. Records are retained for 24 hours, which shapes how the consumer must be designed.Trap Counting on Streams as durable event storage: records expire after 24h, so a consumer that's down longer permanently loses those changes.
- Redshift joins: KEY co-locates large↔large; ALL replicates small dimensions
Redshift's distribution style decides where rows physically live across slices, and the goal is to avoid shuffling data over the network at join time. For a join between two large tables, set DISTSTYLE KEY on the shared join column in both so matching rows land on the same slice and Redshift skips redistribution. For a small, slowly-changing dimension (typically under a few million rows), use DISTSTYLE ALL to keep a full copy on every node, making joins on any column local without moving data. EVEN is the default and spreads rows blindly, so it's rarely best once you know your join patterns.
Trap Applying DISTSTYLE ALL to a large table: replicating a big table onto every node wastes storage and slows writes, so ALL is only for small dimension tables.
3 questions test this
- A company uses Amazon Redshift for its data warehouse. The analytics team reports that queries joining a large fact table (500 million…
- A company is designing an Amazon Redshift data warehouse with a 500 million row sales fact table and multiple dimension tables including a…
- A company is migrating a data warehouse to Amazon Redshift. The solutions architect is designing the table for a dimension table with…
- To benefit from Aurora Auto Scaling, connect to the reader endpoint
Aurora Auto Scaling adds and removes read replicas with demand, but those replicas only receive traffic when clients connect through the reader endpoint rather than individual instance endpoints. The reader endpoint is a managed DNS name that round-robins connections across all available readers and automatically begins including a new replica once it passes health checks, so the capacity Auto Scaling provisions actually gets used. Point read traffic there and scaling is transparent; point it at fixed instance endpoints and the new replicas sit idle.
Trap Hard-coding instance-specific endpoints: the new replicas Auto Scaling spins up then receive no traffic, which defeats the whole point of scaling.
10 questions test this
- A company runs a customer-facing application that uses an Amazon Aurora MySQL database. The application experiences unpredictable…
- A company uses an Amazon Aurora PostgreSQL cluster with Aurora Auto Scaling enabled. The Auto Scaling policy is configured with a target…
- A retail company has configured Aurora Auto Scaling for its Amazon Aurora PostgreSQL cluster with a target tracking policy based on average…
- A media streaming company has an Amazon Aurora MySQL cluster with Aurora Auto Scaling enabled. The scaling policy is configured with a…
- A company runs a read-heavy e-commerce application that uses an Amazon Aurora MySQL DB cluster. The application experiences unpredictable…
- A company is migrating a read-heavy e-commerce application to AWS. The application must scale to handle sudden traffic spikes during…
- A media streaming company operates an Amazon Aurora MySQL cluster with multiple Aurora Replicas to handle high read traffic. The company…
- A company runs a high-traffic e-commerce application that uses Amazon Aurora MySQL as its database. The application experiences…
- A solutions architect is designing a high-throughput web application that uses an Amazon Aurora PostgreSQL DB cluster. The application has…
- A company is running an e-commerce application with an Amazon Aurora MySQL cluster that experiences significant read traffic spikes during…
- "Oops, dropped a table" on Aurora MySQL → Backtrack rewinds in seconds
Aurora MySQL Backtrack[12] rewinds the existing cluster to a point up to 72 hours in the past, in seconds and without downtime, by moving the cluster back through its change records rather than restoring a backup. That makes it the fast recovery path for a logical mistake like a bad delete or accidental table drop, where the alternative (restoring from a snapshot or point-in-time) means provisioning a whole new cluster and waiting on it. Backtrack is Aurora MySQL only.
Trap Treating Backtrack like point-in-time restore: PITR provisions a separate new cluster from backups, whereas Backtrack reverts the existing cluster in place (and only on Aurora MySQL).
- Put RDS Proxy in front of RDS/Aurora for serverless connection storms
When a Lambda fleet's per-invocation connections threaten to exhaust an RDS or Aurora instance's limited connection slots, put RDS Proxy in front: a fully managed connection pool between clients and the database. It reuses a small set of warm connections, queues or sheds excess requests instead of letting them overwhelm the DB, and shortens failover by keeping client connections open while it reconnects to a healthy instance. It reads the database credentials from AWS Secrets Manager and lets clients authenticate to the proxy with IAM, so no DB password sits in the function. Reach for a bigger instance or read replicas instead only when the bottleneck is real query load, not connection churn.
Trap Assuming RDS Proxy always multiplexes: session state such as a statement larger than 16 KB or a temporary table 'pins' a connection to one client, which drops back to one-connection-per-client and erases the pooling benefit.
High-Performing and Scalable Networks
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
High-Performing Data Ingestion and Transformation
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Design Cost-Optimized Architectures
Cost-Optimized Compute
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Commit to reserved capacity when usage stays steady most of the year
When EC2, Fargate, or Lambda runs steadily for more than ~70% of a 1- or 3-year window, commit to capacity instead of paying on-demand: the reservation discount runs the whole term and reaches up to ~72% off on-demand at a 3-year all-upfront commitment, while on-demand carries no commitment but the highest per-hour rate. Use on-demand only for short-lived or unpredictable work where you'd rather pay the premium than over-commit. Reserved Instances tie the discount to a specific instance configuration, whereas Savings Plans commit you to a dollars-per-hour spend that applies across families and flexes as your fleet changes.
Trap Treating RIs and Savings Plans as interchangeable: RIs lock to a family and region, SPs trade some discount for cross-family flexibility, and an SP that overlaps your RIs just sits idle behind them.
14 questions test this
- A company runs a stable production workload using m5.xlarge instances in the us-east-1 Region. The workload is expected to run for at least…
- A company runs a large fleet of Amazon EC2 instances across multiple instance families including m5, c5, and r5 in the us-east-1 Region.…
- A company is planning to migrate workloads to AWS. The company expects its compute requirements to evolve significantly as it modernizes…
- A company runs a suite of applications across multiple AWS Regions using various EC2 instance families including m5, c5, and r5 instances.…
- A development team needs Amazon EC2 instances for a short proof-of-concept project that will last only a few weeks. Usage will be…
- A company is planning a 3-year commitment for Amazon EC2 capacity. The finance team wants to minimize the total cost over the 3-year period…
- A company runs a large fleet of Amazon EC2 instances across multiple instance families (m5, c5, r5) in several AWS Regions. The company…
- A retail company runs a customer-facing web application on Amazon EC2 instances behind an Application Load Balancer in an EC2 Auto Scaling…
- A company purchased Standard Reserved Instances for its production workloads running c5.xlarge instances. Due to application changes, the…
- A company has both Reserved Instances and Savings Plans covering its Amazon EC2 workloads. A solutions architect needs to understand how…
- A company runs steady-state production workloads on Amazon EC2 instances using the C5 instance family in a single AWS Region. The company…
- A company has multiple AWS accounts under AWS Organizations with consolidated billing enabled. The company runs steady-state Amazon EC2…
- A company uses multiple AWS accounts within AWS Organizations. The company has unpredictable workloads across accounts that use various EC2…
- A company operates an application on Amazon EC2 instances using the M5 instance family in the us-west-2 Region. The company wants to…
- Run interruption-tolerant work on EC2 Spot
EC2 Spot runs on spare capacity at up to 90% off On-Demand but can be reclaimed on a 2-minute notice, so it fits stateless, batch, big-data, and CI-fleet jobs where an interruption is survivable, and nothing that can't tolerate being reclaimed mid-task, which belongs on on-demand or reserved capacity. To minimize interruptions, set the
price-capacity-optimizedallocation strategy, the modern default, which draws from pools that are both cheap and deep.Trap Running stateful workloads on Spot without checkpointing: a reclaim mid-task loses in-flight state, so persist or checkpoint first.
- Reach for Compute Optimizer when you need right-sizing recommendations
Compute Optimizer answers "is this resource the right size?" (analyzing actual utilization to recommend a smaller instance or different family for EC2, EBS, Lambda, and ECS-on-Fargate) rather than "should I commit?". It needs enough data to judge (a Lambda function must see at least 50 invocations in 14 days to qualify) and deliberately stays out of the purchasing decision, leaving RI and Savings Plans recommendations to Trusted Advisor and Cost Explorer.
Trap Expecting Compute Optimizer to recommend RIs or Savings Plans: those purchase recommendations come from Trusted Advisor or Cost Explorer instead.
3 questions test this
- EC2 Auto Scaling mixed instances policy: OnDemandBaseCapacity setting
- A company wants to automate the identification of over-provisioned Amazon EBS volumes and receive recommendations for volume type…
- A solutions architect is reviewing AWS Compute Optimizer findings for a fleet of EC2 instances. Several instances are classified as…
- RIs apply before Savings Plans in the billing engine
The billing engine applies discounts in a fixed order each hour: RIs first against matching family/region/AZ/OS usage, then Savings Plans against the remaining eligible usage (EC2 Instance SPs apply before the broader Compute SPs, and within that, highest-discount-percentage first), then on-demand for whatever is left. That order is why a Savings Plan overlapping your RIs earns nothing: the RIs have already consumed those hours. Buy SPs to cover usage your RIs don't reach, and add RIs only for instance types whose utilization is reliably steady.
Trap Buying a fresh Compute SP that overlaps usage your RIs already cover: the RIs consume those hours first and the new SP sits idle.
- Climb the flexibility ladder: Standard RI to Convertible RI to Compute SP
Flexibility forms a ladder (Standard RI to Convertible RI to Compute SP) that trades a little discount for room to change. A Standard RI is locked to its family and can only be sold on the RI Marketplace, not swapped; a Convertible RI can be exchanged for a different family, OS, or tenancy without selling; and a Compute SP is the most flexible, covering EC2, Fargate, and Lambda across any family and region, at a slightly lower maximum discount than a deep RI commitment. Pick the lowest rung that still tolerates how much your workload will shift.
Trap Assuming a Standard RI can be exchanged like a Convertible. It can only be sold on the Marketplace, not swapped to another family.
13 questions test this
- A company runs a stable production workload using m5.xlarge instances in the us-east-1 Region. The workload is expected to run for at least…
- A company runs a large fleet of Amazon EC2 instances across multiple instance families including m5, c5, and r5 in the us-east-1 Region.…
- A company is planning to migrate workloads to AWS. The company expects its compute requirements to evolve significantly as it modernizes…
- A company runs a suite of applications across multiple AWS Regions using various EC2 instance families including m5, c5, and r5 instances.…
- A company runs a large fleet of Amazon EC2 instances across multiple instance families (m5, c5, r5) in several AWS Regions. The company…
- A company purchased 1-year Standard Reserved Instances for Amazon EC2 c5.2xlarge instances. After 6 months, the company migrated the…
- A company purchased Standard Reserved Instances for its production workloads running c5.xlarge instances. Due to application changes, the…
- A company is planning to modernize its applications by migrating from Amazon EC2 instances to containers running on AWS Fargate over the…
- A company runs steady-state production workloads on Amazon EC2 instances using the C5 instance family in a single AWS Region. The company…
- A company has multiple AWS accounts under AWS Organizations with consolidated billing enabled. The company runs steady-state Amazon EC2…
- A company wants to reduce costs for its containerized workloads running on Amazon ECS with AWS Fargate. The workloads include both…
- A company uses multiple AWS accounts within AWS Organizations. The company has unpredictable workloads across accounts that use various EC2…
- A company purchased Standard Reserved Instances 18 months ago for c4.xlarge instances. The company now wants to migrate to c6i.xlarge…
- Use
price-capacity-optimizedfor long-running Spot fleets, notlowest-price On a long-running Spot fleet the allocation strategy decides how often you get interrupted, so it matters more than shaving the last cent off the hourly rate.
lowest-price[10] minimizes cost but draws from the shallowest pools, which are reclaimed first;capacity-optimizedlaunches from the deepest, lowest-interruption pools.price-capacity-optimized, the current Fleet/ASG default, balances both, andcapacity-optimized-prioritizedhonors your priority list when HPC or ML jobs need a specific instance order.Trap Choosing
lowest-pricefor a long-running Spot fleet: the cheapest pools are reclaimed first, so you trade a small saving for far more interruptions.4 questions test this
- A company runs a fault-tolerant image processing application on Amazon EC2 instances in an Auto Scaling group. The application can tolerate…
- A company uses Amazon EC2 Auto Scaling with a mixed instances policy for a containerized microservices application. The application is…
- A company is running a stateless web application on Amazon EC2 instances behind an Application Load Balancer. The application can tolerate…
- A solutions architect is designing a cost-optimized architecture for a stateless web application that runs on Amazon EC2 instances behind…
- A low-traffic Lambda gets no Compute Optimizer recommendation
A quiet Lambda below 50 invocations in 14 days[9] gets no Compute Optimizer recommendation at all, because the service needs enough recent activity to size a function and there simply isn't enough signal. When the exam says 'Compute Optimizer cannot generate a recommendation' for a quiet function, this lookback threshold is the root cause, not anything you've misconfigured.
- Reach for Graviton when 'reduce cost' meets an unrestricted architecture
AWS Graviton (ARM64) instances[11] are AWS-designed processors delivering up to 40% better price-performance than comparable x86, so when a question says 'reduce cost' and doesn't pin the architecture, Graviton is the move. The only catch is the workload must run on ARM, which most managed services already handle (Graviton is supported across RDS, Aurora, ElastiCache, Lambda, and Fargate) so an unrestricted, managed workload has nothing holding it on x86.
Trap Reaching for Spot or Reserved Instances when the question only says 'reduce cost' on an unrestricted workload: those need interruption tolerance or a commitment, while Graviton just lowers the rate.
- Run fault-tolerant containers on Fargate Spot
Fargate Spot[12] runs tasks on spare capacity at a deep discount but can reclaim them on the same 2-minute notice as EC2 Spot, so it fits fault-tolerant containerized work like CI builds, batch jobs, and dev/test. For anything that must stay up, keep it on regular
FARGATE; the standard pattern is a mixed capacity provider holding aFARGATEbaseline for steady load and bursting the interruption-tolerant overflow ontoFARGATE_SPOT.Trap Putting always-on production tasks entirely on Fargate Spot: keep the steady baseline on
FARGATEand useFARGATE_SPOTonly for interruption-tolerant burst.3 questions test this
- A company runs a customer-facing web application on Amazon ECS with AWS Fargate. The application must maintain high availability while…
- A company runs a containerized batch processing application on Amazon ECS. The application processes non-critical data and can tolerate…
- A company wants to reduce costs for its containerized workloads running on Amazon ECS with AWS Fargate. The workloads include both…
- Get RI / SP / right-sizing tips for free from Trusted Advisor
Trusted Advisor[13] surfaces cost-optimization advice (an 'underutilized EC2 instances' check for right-sizing, plus 'RI optimization' and 'Savings Plans recommendations' once it has ~30 days of usage to learn from), and a core subset of those checks is free. Only that subset comes with Basic support; the full cost-optimization check set unlocks with a Business or Enterprise plan.
Trap Assuming every Trusted Advisor check is free: only a core subset is, and the full cost-optimization check set requires a Business or Enterprise support plan.
- Replace at-risk Spot before the 2-minute notice with Capacity Rebalancing
Capacity Rebalancing lets an Auto Scaling group act on EC2's rebalance recommendation signal (which arrives ahead of the hard 2-minute interruption notice), launching a replacement proactively while the at-risk instance is still healthy. Waiting on the 2-minute notice alone leaves no headroom because capacity may already be gone. Pair rebalancing with lifecycle hooks so in-flight requests finish draining before the old instance terminates.
Trap Relying only on the 2-minute notice for graceful drain: by then capacity may already be gone, and the earlier rebalance recommendation is what gives you headroom.
3 questions test this
- A company runs a containerized application on Amazon EC2 instances using an Auto Scaling group with a mixed instances policy. The Auto…
- A company uses Amazon EC2 Auto Scaling with a mixed instances policy for a containerized microservices application. The application is…
- A company runs a containerized web application on Amazon EC2 instances in an Auto Scaling group using a mixed instances policy with Spot…
- Use Enhanced Infrastructure Metrics for cyclical monthly or quarterly workloads
Enhanced Infrastructure Metrics is the paid Compute Optimizer add-on that extends the lookback to up to 93 days, capturing a full cyclical period and sizing for the peak. The right choice whenever billing or processing follows a monthly or quarterly rhythm. The default 14-day lookback of CloudWatch data can otherwise sample only a quiet trough of a workload that spikes monthly or quarterly and then recommend an instance that's too small.
Trap Trusting a default-lookback recommendation for a cyclical workload: 14 days can sample only a trough and recommend a too-small instance.
- Configure org-wide Compute Optimizer settings from the management account
Recommendation preferences set in the management account (approved instance families, required CPU headroom, lookback window) propagate to every member account in an AWS Organization, so you tune the policy once instead of per account. Note the coverage edges: Compute Optimizer does not rightsize Spot Instances at all, but it does cover RDS for MySQL and PostgreSQL (with Performance Insights enabled) alongside EC2, Lambda, EBS, and ECS.
Trap Expecting Spot Instance rightsizing from Compute Optimizer: it produces no recommendations for Spot, so optimize those via allocation strategy and instance flexibility instead.
3 questions test this
- A company operates hundreds of Amazon EC2 instances across multiple AWS accounts within an AWS Organization. The company's cloud operations…
- A company manages EC2 instances across multiple AWS accounts in an AWS Organization. The operations team wants to configure AWS Compute…
- A company is evaluating AWS tools to identify rightsizing opportunities for their Amazon RDS for MySQL databases that are running on…
- Use a Zonal RI, not Regional, when you need guaranteed capacity in a specific AZ
A Zonal Reserved Instance, scoped to one Availability Zone, gives both the billing discount and a capacity reservation matching the instance attributes, so instances still launch even during a peak-demand crunch in that AZ: choose it whenever guaranteed capacity in a known AZ is the requirement. A Regional Reserved Instance, by contrast, applies its billing discount flexibly across all AZs in the region but reserves no capacity, so it saves money without guaranteeing a launch slot, making it the better default when guaranteed capacity isn't required.
Trap Assuming a Regional RI guarantees a launch slot: it only discounts billing, so you need a Zonal RI (or On-Demand Capacity Reservation) to reserve actual capacity.
4 questions test this
- A company runs a mission-critical application on Amazon EC2 instances in a specific Availability Zone. The company requires guaranteed…
- A company operates mission-critical applications on Amazon EC2 in a single Availability Zone. The company requires guaranteed compute…
- A company requires guaranteed EC2 capacity in a specific Availability Zone for a mission-critical application that processes time-sensitive…
- A company runs mission-critical Amazon EC2 instances in us-east-1. The company requires guaranteed capacity in a specific Availability Zone…
Cost-Optimized Storage
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Cost-Optimized Databases
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Cost-Optimized Network
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.