⏳
Loading cheatsheet...
Roadmap, exam strategy, common traps, architecture review, and high-yield revision for AWS certifications.
| Level | Code | Focus | Prerequisite |
|---|---|---|---|
| Foundational | CLF-C02 | Cloud concepts, billing, security basics | None |
| Associate — SA | SAA-C03 | Designing distributed systems on AWS | None (recommended: 1 yr) |
| Associate — Dev | DVA-C02 | Developing & deploying on AWS | None (recommended: 1 yr) |
| Associate — SysOps | SOA-C02 | Operating & managing AWS environments | None (recommended: 1 yr) |
| Professional — SA | SAP-C02 | Advanced architecture & migration | Associate level |
| Specialty — Security | SCS-C02 | Securing AWS workloads end-to-end | Associate level |
| Specialty — ML | MLS-C01 | ML model design, tuning, deployment | Associate level |
| Specialty — Data | DPD-C01 | Data analytics pipelines on AWS | Associate level |
| Path | Progression |
|---|---|
| Cloud Practitioner | CLF-C02 → SAA-C03 → SAP-C02 |
| Developer | CLF-C02 → DVA-C02 → SAP-C02 |
| DevOps Engineer | CLF-C02 → SAA-C03 → DOP-C02 |
| SysOps | CLF-C02 → SOA-C02 → DOP-C02 |
| Solutions Architect | CLF-C02 → SAA-C03 → SAP-C02 |
| Security | CLF-C02 → SAA-C03 → SCS-C02 |
| Machine Learning | CLF-C02 → SAA-C03 → MLS-C01 |
| Service | Free Tier | Notes |
|---|---|---|
| EC2 | 750 hrs/mo (t2.micro / t3.micro) | 12 months, then partial always free |
| S3 | 5 GB storage, 20K GET / 2K PUT | Always free (first year) |
| Lambda | 1M requests + 400K GB-sec | Always free per month |
| DynamoDB | 25 GB storage, 25 RCU/25 WCU | Always free per month |
| CloudFront | 1 TB data transfer | 12 months only |
| RDS | 750 hrs (db.t2.micro) | 12 months (MySQL / PostgreSQL) |
| RDS Free Tier | 20 GB storage | 12 months |
| Domain | Weight | Key Topics |
|---|---|---|
| Domain 1: Design Secure Architectures | 24% | IAM policies, KMS, WAF, Shield, GuardDuty, encryption at rest/transit, Shared Responsibility Model |
| Domain 2: Design Resilient Architectures | 18% | Multi-AZ, Auto Scaling, ELB, Route 53, CloudFront, RTO/RPO, DR strategies |
| Domain 3: Design High-Performing Architectures | 18% | EC2 types, ElastiCache, RDS read replicas, S3 transfer acceleration, DynamoDB DAX |
| Domain 4: Design Cost-Optimized Architectures | 16% | Reserved Instances, Savings Plans, Spot Instances, S3 lifecycle, right-sizing |
| Domain 5: Operational Excellence | 14% | CloudWatch, CloudTrail, Config, Systems Manager, OpsWorks, well-architected framework |
| Domain 6: (NEW) Design for Reliability | 10% | Event-driven design, SQS/SNS/Kinesis, Step Functions, decoupling strategies |
Q1: A company needs a highly available database with automatic failover
and read scaling. Which solution is MOST cost-effective?
A) RDS Multi-AZ + 3 Read Replicas
B) Aurora MySQL with 1 replica
C) DynamoDB with DAX
D) Redshift Multi-AZ
→ Answer: B (Aurora provides 5 replicas, auto-failover, 6 copies)
Q2: You need to serve static content globally with lowest latency. Which
combination provides the best performance?
A) EC2 + CloudFront B) S3 + Route 53
C) S3 + CloudFront D) EFS + ALB
→ Answer: C (S3 origin + CloudFront CDN = best for static content)
Q3: A web application experiences unpredictable traffic spikes. You want
to minimize cost while ensuring availability. What is the BEST approach?
A) Reserved Instances + Auto Scaling
B) Spot Instances + Lambda
C) Savings Plans + ECS
D) On-Demand + Auto Scaling
→ Answer: D (On-Demand + Auto Scaling handles spikes predictably)| Category | Key Services |
|---|---|
| Compute | EC2, Lambda, ECS, EKS, Elastic Beanstalk, Fargate |
| Storage | S3, EBS, EFS, FSx, Storage Gateway |
| Database | RDS, Aurora, DynamoDB, ElastiCache, Redshift, Neptune |
| Networking | VPC, Route 53, CloudFront, ELB/ALB/NLB, Transit Gateway, Direct Connect |
| Security | IAM, KMS, WAF, Shield, GuardDuty, Inspector, Macie, Secrets Manager |
| Management | CloudWatch, CloudTrail, Config, Systems Manager, X-Ray |
| Messaging | SQS, SNS, Kinesis, EventBridge, Step Functions |
| Scenario | Recommended Pattern |
|---|---|
| Serverless web app | S3 + CloudFront + API Gateway + Lambda + DynamoDB |
| Containerized microservices | ECS Fargate + ALB + ECR + CloudWatch |
| Multi-region DR | Route 53 active-passive + S3 Cross-Region Replication |
| Batch processing | S3 + Lambda + SQS + DynamoDB (or EMR for big data) |
| Real-time analytics | Kinesis Data Streams + Kinesis Data Analytics + S3 |
| Hybrid cloud | Direct Connect / VPN + Storage Gateway + ECS Anywhere |
| Domain | Weight | Key Topics |
|---|---|---|
| Domain 1: Security | 24% | IAM roles for services, KMS envelope encryption, Secrets Manager, Cognito auth flows, signed URLs/presigned URLs |
| Domain 2: Development with AWS Services | 30% | SDK usage, API Gateway, Lambda handlers, DynamoDB operations, S3 event triggers, Step Functions |
| Domain 3: Deployment | 22% | CI/CD with CodePipeline, CodeBuild, CodeDeploy, Elastic Beanstalk, CloudFormation, SAM, blue/green deployments |
| Domain 4: Troubleshooting & Optimization | 24% | CloudWatch Logs/Metrics/Alarms, X-Ray tracing, SDK retries, dead letter queues, VPC endpoint troubleshooting |
Q1: A Lambda function is failing silently. How can you capture error
details and retry failed messages?
A) Add CloudWatch Logs subscription
B) Configure a Dead Letter Queue (DLQ) with SQS
C) Enable X-Ray tracing
D) Increase Lambda timeout
→ Answer: B (DLQ captures failed invocations for later analysis/retry)
Q2: You need to deploy updates to an EC2 fleet with zero downtime.
Which service provides the easiest blue/green deployment?
A) Elastic Beanstalk B) CodeDeploy with ALB
C) CloudFormation D) OpsWorks
→ Answer: B (CodeDeploy supports blue/green with ALB target swapping)
Q3: Your application needs to store API keys securely. The application
runs on ECS Fargate. What is the BEST approach?
A) Store in S3 with encryption
B) Store in environment variables
C) Use AWS Secrets Manager with IAM role
D) Store in Parameter Store (plain text)
→ Answer: C (Secrets Manager auto-rotates secrets, IAM role controls access)| Concept | Details |
|---|---|
| Boto3 retry logic | SDK handles exponential backoff + jitter automatically |
| Presigned URLs | Temporary signed URLs for S3 uploads/downloads without IAM |
| Envelope encryption | KMS encrypts data key → data key encrypts payload |
| Lambda layers | Shared dependencies (max 5 layers, 50 MB unzipped each) |
| Event source mapping | Lambda + SQS/SNS/Kinesis — poll-based vs push-based |
| API Gateway throttling | Default 10,000 RPS burst, 5,000 steady — use usage plans |
| Cognito flows | User pools (auth), Identity pools (AWS credentials), hosted UI |
| Service | Use Case | Rollback |
|---|---|---|
| CodePipeline | Orchestrate CI/CD across stages | Manual or auto on failure |
| CodeBuild | Build & test (managed) | N/A (build service) |
| CodeDeploy | Deploy to EC2, Lambda, ECS | Automatic rollback on alarms |
| Elastic Beanstalk | PaaS — push code, AWS manages infra | Swap CNAME to old version |
| CloudFormation | IaC — define stacks in YAML/JSON | Stack rollback on failure |
| SAM (Serverless App Model) | Lambda + API Gateway + DynamoDB IaC | CloudFormation change sets |
| CDK | Define infrastructure in TypeScript/Python | cdk deploy with rollback |
| Domain | Weight | Key Topics |
|---|---|---|
| Domain 1: Monitoring & Logging | 22% | CloudWatch metrics/logs/alarms/Events, CloudTrail, X-Ray, Logs Insights, metric filters, dashboards |
| Domain 2: Reliability | 16% | Auto Scaling groups, lifecycle hooks, ELB health checks, RTO/RPO, backup strategies |
| Domain 3: Deployment & Provisioning | 18% | CloudFormation, Elastic Beanstalk, OpsWorks, Systems Manager, AMI management, bootstrapping |
| Domain 4: Security & Compliance | 18% | IAM least privilege, KMS rotation, S3 bucket policies, Security Hub, AWS Config rules |
| Domain 5: Networking & Troubleshooting | 16% | VPC troubleshooting, NACL/SG rules, DNS resolution, VPN/Direct Connect, VPC Flow Logs |
| Domain 6: Cost Optimization | 10% | Cost Explorer, Trusted Advisor, budget alerts, Reserved/Savings Plans, right-sizing instances |
Q1: An EC2 instance in a private subnet cannot reach the internet.
The VPC has an IGW attached and a route to 0.0.0.0/0. What is
the MOST likely cause?
A) Security group blocks outbound B) NACL blocks traffic
C) No NAT Gateway in the route table D) Route table misconfigured
→ Answer: C (Private subnets need NAT Gateway, not IGW, for egress)
Q2: CloudWatch alarm triggers but you don't receive SNS notification.
What should you check FIRST?
A) CloudWatch Logs B) SNS topic policy
C) IAM permissions D) SNS subscription confirmation
→ Answer: D (New SNS subscriptions require email confirmation)
Q3: You need to automate AMI updates across 50 EC2 instances with
zero downtime. Which approach is BEST?
A) Manual AMI copy + launch new instances
B) Systems Manager Automation + Auto Scaling rolling update
C) CloudFormation stack update with immutable launch template
D) EC2 Run Command + reboot
→ Answer: B or C (both are valid — SSM + ASG rolling update is common)| Domain | Weight | Key Topics |
|---|---|---|
| Domain 1: Threat Detection & Incident Response | 18% | GuardDuty, Detective, CloudTrail Insights, Security Hub, automated remediation, incident response playbooks |
| Domain 2: Security Logging & Monitoring | 18% | CloudTrail (multi-region, log file validation), CloudWatch Logs, VPC Flow Logs, AWS Config, Macie (data classification) |
| Domain 3: Infrastructure Security | 20% | VPC design (security layers), NACL, SG, network firewall, WAF, Shield (DDoS), PrivateLink, VPN/Direct Connect |
| Domain 4: Identity & Access Management | 16% | IAM policies (resource-based, identity-based), roles, federation (SAML/OIDC), STS, IAM Access Analyzer, permission boundaries |
| Domain 5: Data Protection | 14% | KMS (CMK, envelope encryption), SSE-S3/SSE-KMS/SSE-C, client-side encryption, S3 Object Lock, Glacier Vault Lock |
| Domain 6: Management & Security Governance | 14% | AWS Organizations (SCPs), Control Tower, Audit Manager, Artifact (evidence), Well-Architected Security Pillar |
Q1: A company needs to encrypt all S3 objects but must use
customer-managed keys with automatic rotation. Which approach?
A) SSE-S3 B) SSE-KMS with CMK (auto-rotate enabled)
C) SSE-C D) Client-side encryption with custom key mgmt
→ Answer: B (KMS CMK supports automatic annual rotation)
Q2: You need to detect unauthorized API calls across 50 AWS accounts.
Which solution provides centralized detection with the LEAST effort?
A) CloudTrail in each account + SNS
B) GuardDuty delegated admin + Security Hub
C) AWS Config custom rules
D) VPC Flow Logs + Athena queries
→ Answer: B (GuardDuty with delegated admin aggregates threat intel)
Q3: Which IAM policy type should be attached to an S3 bucket to allow
cross-account read access?
A) Identity-based policy B) Resource-based policy (bucket policy)
C) SCP D) Permission boundary
→ Answer: B (Bucket policies are resource-based, attached to the bucket)| Service | Purpose | Key Feature |
|---|---|---|
| GuardDuty | Threat detection (intelligent), managed | ML-based anomaly detection across accounts |
| Security Hub | Aggregate security findings | CIS AWS Foundations Benchmark, custom insights |
| Inspector | Vulnerability scanning for EC2/Lambda/Containers | SCAP + agentless, auto-discovery |
| WAF | Layer 7 web application firewall | AWS-managed rules, bot control, rate limiting |
| Shield | DDoS protection | Standard (free auto) + Advanced (24/7 DDoS response team) |
| Macie | PII data classification in S3 | ML to find PII/PHI, CloudTrail integration |
| Artifact | Audit evidence management | Compliance reports (SOC, ISO, PCI), evidence lock |
| NFW (Network Firewall) | Stateful L3-L7 inspection | Suricata-compatible rules, TLS inspection |
| Method | Key Source | Rotation | Use Case |
|---|---|---|---|
| SSE-S3 | AWS managed (AES-256) | Automatic (every 3 years) | Default encryption, simplest |
| SSE-KMS | AWS KMS CMK | Annual auto or manual | Audit trail, cross-account |
| SSE-C | Customer-provided keys | Customer managed | Full key ownership |
| Client-side | Application-managed | Application logic | KMS envelope encryption pattern |
| S3 Object Lock | Write-once-read-many | N/A (legal hold) | Compliance (SEC Rule 17a-4) |
| Resource | Type | Cost | Best For |
|---|---|---|---|
| AWS Skill Builder | Official courses + labs | Free / $29/mo | Structured learning, official practice exams |
| AWS Well-Architected Labs | Hands-on labs | Free | Practical architecture patterns |
| AWS Sample Questions | Official question bank | Free (limited) | Exam format familiarity |
| A Cloud Guru / Udemy | Video courses | ~$15 (sale) | Comprehensive video + practice exams |
| Stephane Maarek (Udemy) | Video course series | ~$15 (sale) | Top-rated SAA/DVA/SOA courses |
| Tutorials Dojo | Practice exams | ~$20-40 | Closest to real exam difficulty |
| Whizlabs | Practice exams | ~$20-40 | Additional question variety |
| ExamPro | Video + practice | ~$25 | Interactive learning with notes |
| Adrian Cantrill | Deep-dive courses | ~$60-80 | Deep understanding, expert level |
| AWS Documentation | Official docs | Free | Reference for specific services |
| Week | Focus | Activities |
|---|---|---|
| 1-2 | Core Services | Watch video course Week 1-2 sections, take notes on EC2, S3, VPC, IAM, RDS, DynamoDB |
| 3-4 | Advanced Topics | Networking deep-dive, security, serverless, messaging, cost optimization |
| 5-6 | Hands-on Labs | Build projects: multi-tier app, serverless API, CI/CD pipeline, DR setup |
| 7 | Practice Exams | Take 3-5 full practice exams, review all wrong answers thoroughly |
| 8 | Weak Areas + Review | Re-study weak domains, review notes, take final practice exam, rest before exam day |
#!/bin/bash
# ── AWS Certification Study Checklist ──
# Week 1-2: Core Services
echo "☑ EC2: instance types, placement groups, Auto Scaling, user data"
echo "☑ S3: storage classes, lifecycle, versioning, encryption, presigned URLs"
echo "☑ VPC: subnets, IGW, NAT, route tables, peering, endpoints, flow logs"
echo "☑ IAM: policies (identity + resource), roles, STS, federation"
echo "☑ RDS: Multi-AZ, read replicas, snapshots, parameter groups"
echo "☑ DynamoDB: capacity modes, GSIs/LSIs, TTL, Streams, DAX"
# Week 3-4: Advanced Topics
echo "☑ Networking: ALB/NLB, CloudFront, Route 53 policies, Direct Connect"
echo "☑ Security: KMS, WAF, Shield, GuardDuty, Secrets Manager, encryption"
echo "☑ Serverless: Lambda configuration, API Gateway, Step Functions, SAM/CDK"
echo "☑ Messaging: SQS (FIFO vs standard), SNS, Kinesis, EventBridge"
echo "☑ Cost: RI, Savings Plans, Spot, Cost Explorer, Trusted Advisor"
echo "☑ Monitoring: CloudWatch (metrics, logs, alarms, dashboards), X-Ray"
# Week 5-6: Hands-on
echo "☑ Build: 3-tier web app (S3 + CloudFront + ALB + EC2 + RDS)"
echo "☑ Build: Serverless REST API (API GW + Lambda + DynamoDB + Cognito)"
echo "☑ Build: CI/CD pipeline (CodeCommit/Bitbucket → CodeBuild → CodeDeploy)"
echo "☑ Build: Multi-region DR (Route 53 failover + S3 CRR + Aurora Global)"| Strategy | Description |
|---|---|
| Eliminate wrong answers | Usually 2 of 4 answers are clearly wrong. Eliminate first, then compare remaining. |
| Read the "MOST" qualifier | "MOST cost-effective", "LEAST operational overhead" — these keywords matter. |
| Think "AWS way" | AWS prefers managed services over self-managed. Choose the path of least resistance. |
| Flag and review | Mark uncertain questions, answer all, then return to flagged ones. |
| No negative marking | Never leave a question blank — guess if unsure. |
| Time management | ~2 minutes per question. If stuck >3 min, guess and move on. |
| Watch for NEW features | Exam questions may reference newer services (e.g., AWS App Runner, S3 Express One Zone). |
| Understand, don't memorize | Know WHY a service is the answer, not just THAT it is. |
| Pitfall | Why It's Wrong |
|---|---|
| Choosing EC2 for everything | Serverless (Lambda) is often better for unpredictable workloads |
| Overlooking multi-AZ | Production workloads almost always need multi-AZ for high availability |
| Ignoring cost | Questions often have a "cost-effective" constraint — pick the cheaper valid option |
| Choosing self-managed | Aurora > self-managed PostgreSQL; ElastiCache > self-managed Redis |
| Confusing NACL and SG | NACL is stateless (subnet level), SG is stateful (instance level) |
| Forgetting encryption | Always consider encryption at rest and in transit for security questions |
| Resource | URL / Location | Details |
|---|---|---|
| AWS Skill Builder (Free Tier) | skillbuilder.aws.amazon.com | 100+ digital courses, 25+ labs, 1 free practice exam per cert |
| AWS Well-Architected Labs | awslabs.github.io | Hands-on labs for all 6 pillars, 300+ labs |
| AWS Cloud Quest | skillbuilder.aws.amazon.com | Gamified learning with hands-on challenges |
| AWS Sample Questions | aws.amazon.com/certification | Official 10-question sample for each exam |
| FreeCodeCamp AWS Course | freecodecamp.org | Full video course (12+ hours) covering CLF and SAA |
| ExamPro Free Resources | exampro.co | Free practice questions, YouTube videos, study guides |
| Project | Services Covered | Time |
|---|---|---|
| Static website on S3 + CloudFront | S3, CloudFront, Route 53, ACM | 2 hours |
| Serverless REST API | API Gateway, Lambda, DynamoDB, Cognito | 4 hours |
| 3-tier app with RDS | EC2, ALB, RDS Multi-AZ, VPC, SSM | 4 hours |
| CI/CD pipeline | CodePipeline, CodeBuild, CodeDeploy, S3 | 3 hours |
| Infrastructure as Code | CloudFormation or CDK, SAM | 4 hours |
| Monitoring dashboard | CloudWatch, CloudTrail, X-Ray, SNS | 3 hours |
| Multi-region DR | Route 53, S3 CRR, Aurora Global, Lambda | 6 hours |
| Containerized app | ECS Fargate, ECR, ALB, CloudWatch | 4 hours |
╔═══════════════════════════════════════════════════════════════╗
║ AWS CERTIFICATION COST SUMMARY ║
╠═══════════════════════════════════════════════════════════════╣
║ Foundational (CLF-C02) $150 ║
║ Associate (SAA / DVA / SOA) $150 each ║
║ Professional (SAP-C02) $300 ║
║ Specialty (SCS-C02 / MLS-C01) $300 each ║
║ DevOps Engineer Professional $300 ║
║ ║
║ Renewal (within 3 years) FREE (online assessment) ║
║ Retake (if failed) Same cost as original ║
║ Study resources (varies) $0 - $300 ║
║ ║
║ Total path (CLF → SAA → SAP) $600 in exam fees ║
╚═══════════════════════════════════════════════════════════════╝