Highest-weight domain — 30% of exam
Shared responsibility model and IAM are the most tested topics
Shared Responsibility Model
- AWS responsible FOR the cloud — hardware, data centers, managed services, global infra
- Customer responsible IN the cloud — OS patches, app security, data encryption, IAM config
- EC2: you patch the OS. RDS: AWS patches the DB engine. S3: AWS manages infra, you manage bucket policies
IAM — Identity & Access Mgmt
- Root account — use only to set up; never use daily
- IAM Users — individual identities with long-term credentials
- IAM Groups — apply policies to multiple users
- IAM Roles — temporary credentials; used by EC2, Lambda, cross-account
- IAM Policies — JSON documents defining Allow/Deny
- Principle of least privilege — grant only what's needed
- MFA — always enable on root & privileged users
Security Services — Quick Ref
- Shield — DDoS protection (Standard = free, Advanced = paid)
- WAF — Web Application Firewall; HTTP exploits
- GuardDuty — intelligent threat detection using ML
- Inspector — automated vulnerability assessment for EC2
- Macie — discovers & protects sensitive data (PII) in S3
- CloudTrail — logs all API calls; who did what, when
- Config — tracks resource config changes over time
- KMS — create & manage encryption keys
- Secrets Manager — store & rotate DB credentials, API keys
- Artifact — on-demand access to compliance reports
- Security Hub — unified security & compliance dashboard
Compliance & Governance
- AWS Artifact — download SOC reports, PCI-DSS, ISO certs
- AWS Compliance programs — HIPAA, GDPR, FedRAMP supported
- AWS Organizations — manage multiple accounts; SCPs (Service Control Policies) restrict permissions across accounts
- Control Tower — sets up & governs secure multi-account AWS environment
Largest domain — 34% of exam
Know the purpose of each service; don't need deep technical config
Compute Services
Key services
EC2LambdaElastic BeanstalkECSEKSFargateLightsailBatch
- EC2 — virtual servers; you pick instance type (t3, m5, c5 etc.)
- EC2 Pricing: On-Demand, Reserved (1-3yr, up to 72% off), Spot (up to 90% off, can be interrupted), Savings Plans, Dedicated Host
- Lambda — serverless functions; pay per 100ms; event-driven
- Elastic Beanstalk — deploy apps without managing infra (PaaS)
- ECS/EKS — run containers; ECS = AWS-managed, EKS = Kubernetes
- Fargate — serverless containers; no EC2 to manage
Storage Services
- S3 — object storage; 11 9s durability; buckets are global
- S3 classes: Standard, IA, One-Zone IA, Glacier, Glacier Deep Archive
- S3 Lifecycle rules — auto-move objects between classes
- EBS — block storage attached to single EC2 instance
- EFS — elastic file system; shared across multiple EC2
- Storage Gateway — hybrid; connects on-prem to S3
- Snowball / Snowmobile — physical data transfer devices
Database Services
- RDS — managed relational DB (MySQL, Postgres, Aurora, Oracle, MSSQL)
- Aurora — AWS-native; 5× faster than MySQL, auto-scales
- DynamoDB — managed NoSQL; serverless; single-digit ms latency
- ElastiCache — in-memory cache (Redis/Memcached)
- Redshift — data warehouse; analytics at petabyte scale
- DocumentDB — managed MongoDB compatible
- Neptune — graph database
Networking
- VPC — isolated private network in AWS
- Subnets — public (internet-facing) or private
- Security Groups — stateful, instance-level firewall
- NACLs — stateless, subnet-level firewall
- Route 53 — DNS service; also does health checks & routing policies
- CloudFront — CDN; caches content at Edge locations
- Direct Connect — dedicated private connection to AWS
- VPN — encrypted tunnel over public internet
- API Gateway — create & manage RESTful APIs
- ELB — load balancer (ALB = HTTP, NLB = TCP, CLB = legacy)
Monitoring & Management
- CloudWatch — metrics, logs, alarms for AWS resources
- CloudTrail — audit log of all API activity
- AWS Config — compliance & config history
- Systems Manager — manage EC2 fleet; patch, run commands
- Trusted Advisor — cost, security, performance checks
- Health Dashboard — AWS service & personal health events
- Well-Architected Tool — review workloads against pillars
Other Notable Services
- SQS — managed message queue; decouples services
- SNS — pub/sub messaging; push notifications
- EventBridge — serverless event bus
- Step Functions — orchestrate Lambda workflows
- SageMaker — build, train, deploy ML models
- Rekognition — image & video analysis (AI service)
- Comprehend — NLP, sentiment analysis
- Translate — real-time language translation
- Lex — build chatbots (powers Alexa)
- CodePipeline — CI/CD pipeline automation
- CloudFormation — IaC; template-based infra provisioning
- CDK — write infra in code (Python, TypeScript)
Smallest domain — 12% but easy marks
Know the pricing principles and support plan differences cold
AWS Pricing Principles
- Pay as you go — no upfront cost by default
- Pay less when you use more — volume discounts
- Pay less when you reserve — Reserved Instances & Savings Plans
- Free Tier — 12 months free for many services (EC2 t2.micro, S3 5GB, RDS, Lambda 1M req/mo)
- Always-free services — Lambda (1M req), DynamoDB (25GB), CloudWatch (basic)
- Data transfer IN to AWS is always free
- Data transfer OUT charges apply (varies by region)
Billing Tools
- Cost Explorer — visualize & forecast spending
- Budgets — set alerts when costs exceed threshold
- Pricing Calculator — estimate costs before deploying
- Cost & Usage Report (CUR) — most detailed billing data
- Consolidated Billing — one bill for all accounts in an Organization; volume discounts apply across accounts
- Cost Allocation Tags — tag resources for cost tracking
AWS Support Plans
| Plan |
Cost |
Response (critical) |
Key Features |
| Basic |
Free |
— |
Docs, forums, Health Dashboard |
| Developer |
$29/mo |
< 12 hours |
Email support, 1 contact |
| Business |
$100/mo |
< 1 hour |
24/7 phone & chat, full Trusted Advisor, unlimited contacts |
| Enterprise |
$15,000/mo |
< 15 min |
TAM (Technical Account Manager), Concierge, all Business features |