Intermediate

AWS Certified Solutions Architect - Associate (SAA-C03) - Scaling and Decoupling Architectures

Elastic Load Balancing (ELB) automatically distributes incoming application traffic across multiple targets (EC2 instances, containers, IP addresses, Lambda functions) across multiple Ava...

Table of Contents

  1. Module 1 – Elastic Load Balancing
  2. Module 2 – Auto Scaling and High-Availability
  3. Module 3 – Containers and Images
  4. Module 4 – AWS Lambda
  5. Module 5 – Event-driven Architectures
  6. Module 6 – Amazon API Gateway, AWS AppSync, and AWS X-Ray
  7. Module 7 – Serverless Authentication with Amazon Cognito
  8. Module 8 – AWS CloudFormation and Infrastructure-as-Code Services
  9. Module 9 – AWS Elastic Beanstalk
  10. Module 10 – AWS Systems Manager
  11. Module 11 – Amazon SQS and Amazon SNS
  12. Module 12 – Amazon Kinesis
  13. Module 13 – Amazon MSK and Amazon MQ
  14. Module 14 – Amazon Step Functions and AWS Batch
  15. Module 15 – Application and Network Caching
  16. Module 16 – Miscellaneous Services

Module 1 – Elastic Load Balancing

Reviewing AWS Global Infrastructure

AWS infrastructure is organized at several levels of abstraction:

  • Regions: The highest-level geographic grouping. Currently 31+ active geographic regions. Each region provides full redundancy and connectivity to the AWS network and the internet.
  • Availability Zones (AZs): Fully isolated partitions within a region, each with separate power, networking, and internet connectivity. Typically at least 3 AZs per region. Note: The actual data centers referenced by an AZ name (e.g., us-east-1a) can differ per account. Use AZ IDs to reference the same physical data center across accounts.
  • Edge Locations: AWS partners with thousands of telecom carriers worldwide to host edge locations for caching and content delivery.
graph TD
    AWS[AWS Global Network]
    AWS --> R1[Region: us-east-1]
    AWS --> R2[Region: eu-west-1]
    R1 --> AZ1[AZ: us-east-1a]
    R1 --> AZ2[AZ: us-east-1b]
    R1 --> AZ3[AZ: us-east-1c]
    R1 --> EL[Edge Locations]
    AZ1 --> DC1[Data Centers]
    AZ2 --> DC2[Data Centers]
    AZ3 --> DC3[Data Centers]

Elastic Load Balancing (ELB) Introduction

Elastic Load Balancing (ELB) automatically distributes incoming application traffic across multiple targets (EC2 instances, containers, IP addresses, Lambda functions) across multiple Availability Zones.

Key properties:

  • Managed service – AWS handles the operational burden
  • Custom DNS – Point your DNS to the load balancer. Use an alias record in Route 53 to reference the ELB
  • Health checks – ELBs monitor back-end targets and only route to healthy ones
  • SSL/TLS termination – Handle cryptographic operations at the load balancer level
  • Best practice: Create separate tiers for public and private network traffic

There are three modern (v2) ELB types plus a legacy Classic Load Balancer:

TypeOSI LayerProtocolsUse Case
ALBLayer 7 (Application)HTTP, HTTPS, HTTP/2, WebSocketSmart routing, containers, microservices
NLBLayer 4 (Transport)TCP, TLS, UDP, TCP_UDPHigh performance, static IPs
GWLBLayer 3 (Network)GENEVE (port 6081)Security appliances, intrusion detection

Application Load Balancers (ALB)

ALBs operate at Layer 7 of the OSI model and are considered “smart” load balancers.

Key characteristics:

  • Supports routing based on: content type, cookies, custom headers, path, hostname, query strings, methods, source IP
  • Protocols: HTTP, HTTPS, HTTP/2, WebSockets
  • Does not support unbroken TLS/SSL – encryption terminates at the load balancer; traffic to back end is unencrypted within the AWS network
  • Perfect for containerized applications (Docker, ECS, EKS)

Important ALB components:

ComponentDescription
ListenerChecks for incoming connections on a configured port and protocol
Target GroupGroup of registered targets (EC2 instances, IP addresses, Lambda functions)
RulesDefine how the listener routes traffic to target groups (path-based, host-based, etc.)
graph LR
    Users[Internet Users] --> ALB[Application Load Balancer\nLayer 7]
    ALB -->|/a/* rule| TGA[Target Group A\nEC2 Instances]
    ALB -->|/b/* rule| TGB[Target Group B\nEC2 Instances]
    ALB -->|Default rule| TGC[Target Group C\nContainers]

Demo: Setting up an Application Load Balancer

The following user data scripts were used to set up two web server instances with different path prefixes (/a/ and /b/) for path-based routing demonstration.

Instance A user data (A-instance-user-data.sh):

#!/bin/bash

# Allowing YUM updates and installations from cloud_user
echo '%password%' | passwd cloud_user --stdin
yum update -y
yum install -y httpd

# Starting and enabling HTTPD service
systemctl start httpd.service
systemctl enable httpd.service

# Adding HTTPD group and adding cloud_user
groupadd www
usermod -a -G www cloud_user

# Get the IMDSv2 token
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`

# Setting homepage index.html file.
cat <<EOF > /var/www/html/index.html
<html>
    <title>AWS SAA Prep</title>
    <body>
        <p>Our default homepage</p>
    </body>
<html>
EOF

mkdir -p /var/www/html/a/

# Setting the app index.html file.
cat <<EOF > /var/www/html/a/index.html
<html>
    <title>AWS SAA Prep - Path A</title>
    <body>
        <p>This is Path A</p>
    </body>
</html>
EOF

Instance B user data (B-instance-user-data.sh): Same structure but creates /var/www/html/b/index.html.

Network Load Balancers (NLB)

NLBs operate at Layer 4 (Transport layer). They do not perform content-based routing; they are optimized for raw performance.

Key characteristics:

  • Protocols: TCP, TLS, UDP, TCP_UDP
  • Highest-performing ELB – millions of requests per second, ultra-low latency
  • Supports static IPs per AZ – can assign Elastic IPs for easy whitelisting
  • Perfect for: firewall whitelisting, gaming, IoT, financial applications

Important: Despite being called “Network” Load Balancer, it operates at Layer 4 (Transport), not Layer 3 (Network). Do not confuse these.

Demo: Setting up a Network Load Balancer

The user data script used for an NLB back-end instance:

#!/bin/bash

yum update -y
yum install -y httpd
systemctl start httpd.service
systemctl enable httpd.service

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" \
  -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`

echo '<html><h1>Hello Gurus!</h1><h2>I live in this Availability Zone: ' \
  >> /var/www/html/index.html
curl -H "X-aws-ec2-metadata-token: $TOKEN" \
  http://169.254.169.254/latest/meta-data/placement/availability-zone \
  >> /var/www/html/index.html
echo '</h2><h2>I go by this Instance Id: ' >> /var/www/html/index.html
curl -H "X-aws-ec2-metadata-token: $TOKEN" \
  http://169.254.169.254/latest/meta-data/instance-id \
  >> /var/www/html/index.html
echo '</h2></html>' >> /var/www/html/index.html

systemctl restart httpd.service

Gateway Load Balancers (GWLB)

GWLBs operate at Layer 3 (Network layer) and are designed for deploying, scaling, and managing virtual network appliances.

Key characteristics:

  • Uses the GENEVE protocol (port 6081) for traffic encapsulation
  • Target types: EC2 instances or private IP addresses
  • Use cases: Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Deep Packet Inspection
graph LR
    Internet[Internet Traffic] --> GWLB[Gateway Load Balancer\nLayer 3]
    GWLB --> IDS[IDS/IPS Appliances]
    IDS -->|Inspected traffic| ALB[Application Load Balancer]
    ALB --> App[Application\nAuto Scaling Group]

Elastic Load Balancing Optimization

Session Affinity (Sticky Sessions)

Sticky sessions ensure clients always reach the same back-end target. Supported by CLBs, ALBs, and NLBs.

  • Creates a cookie to determine which target is used for a session
  • Cookie expiry configurable from 1 second to 7 days
  • Warning: Sticky sessions can override load balancing algorithms; this can cause uneven distribution

Exam tip: Sticky sessions are perfect for maintaining user sessions (e.g., shopping carts). Remember they override round-robin algorithms.

Connection Draining / Deregistration Delay

  • CLBs: called Connection Draining
  • ALBs and NLBs: called Deregistration Delay
  • Allows in-flight requests to complete before removing a target from service
  • Default: 300 seconds (5 minutes)
  • Range: 0 to 3600 seconds

Cross-Zone Load Balancing

  • Distributes traffic evenly across all registered targets in all AZs
  • ALBs: enabled by default (no charge)
  • NLBs and GWLBs: disabled by default (charges apply when enabled)
  • CLBs: no charge when enabled

Demo: Setting up an HTTPS Listener

Steps to set up an HTTPS listener on an ALB:

  1. Navigate to AWS Certificate Manager (ACM) and request a public certificate for your domain
  2. Validate the domain using DNS validation (add a CNAME record in Route 53)
  3. On the ALB, add a listener on port 443 (HTTPS)
  4. Select the ACM certificate
  5. Configure rules and target group

Remember: ACM certificates for use with ALBs are regional. For CloudFront, they must be in us-east-1.

Module 1 Summary and Exam Tips

ConceptKey Points
AZ IDsAlways reference the same physical data center across accounts – use for multi-account strategies
HA vs FTHigh Availability = self-recovers, stays up most of the time. Fault Tolerant = handles failures with NO data loss and NO service interruption
ALBLayer 7; HTTP/HTTPS; smart routing by hostname, path, query string, method, source IP
NLBLayer 4; TCP/UDP/TLS; highest performance; millions req/s; supports static EIPs
GWLBLayer 3; GENEVE protocol; security appliances; IDS/IPS; Deep Packet Inspection
Sticky SessionsSupported by CLB, ALB, NLB; cookie-based; overrides round-robin
Cross-Zone LBALB = on by default; NLB/GWLB = off by default
Connection DrainingAllows in-flight requests to complete; 0-3600 seconds

Module 2 – Auto Scaling and High-Availability

Horizontal Versus Vertical Scaling

Scalability (Gartner): The measure of a system’s ability to increase and decrease performance and cost in response to changes in application processing demands.

Scaling TypeDescriptionUse CaseLimits
VerticalScale resources to be larger (bigger instance)Databases, single-instance appsCPU, RAM, networking bandwidth of the instance
HorizontalIncrease the number of instancesStateless web applicationsPractically unlimited

Key: Auto Scaling Groups are for horizontal scaling. Do not confuse the two.

Auto Scaling Groups (ASGs)

An Auto Scaling group is a logical resource containing collections of EC2 instances treated as a single group for scaling and management.

Benefits:

  • Self-healing: Automatically replaces unhealthy instances
  • Cost optimization: Scales down when demand decreases, scales up when it increases

Key terms:

TermDefinition
Scale OutAdd instances (horizontal scaling up)
Scale InRemove instances (horizontal scaling down)
MinimumLowest number of instances to maintain
MaximumHighest number of instances allowed
DesiredTarget number of instances at any given time
graph TD
    ASG[Auto Scaling Group]
    ASG --> Min[Minimum: 2 instances]
    ASG --> Des[Desired: 4 instances]
    ASG --> Max[Maximum: 10 instances]
    Des --> LT[Launch Template]
    LT --> AZ1[AZ-a: EC2]
    LT --> AZ2[AZ-b: EC2]
    LT --> AZ3[AZ-c: EC2]

Launch Templates vs Launch Configurations:

  • Launch Templates are the newer and recommended method
  • Support versioning (v1, v2, etc.)
  • Define: AMI, instance type, key pair, security groups, user data, IAM instance profile, etc.

Demo: Create a Launch Template and Auto Scaling Group

Steps:

  1. Go to EC2 → Launch Templates → Create launch template
  2. Select “Provide guidance” to see required fields for ASG use
  3. Configure: AMI, instance type, security groups
  4. Create the ASG referencing the launch template
  5. Configure: VPC/subnets across multiple AZs, desired/min/max capacity

Auto Scaling Group Scaling Policies

Policy TypeDescriptionBest For
ManualManually set desired capacityTesting, emergency adjustments
SimpleScale based on a CloudWatch alarm thresholdBasic CPU/memory metrics
Target TrackingMaintain a specific metric value (e.g., 50% CPU)Most common, recommended approach
Step ScalingMultiple scaling steps based on alarm thresholdsFine-grained control
PredictiveUses ML to forecast and pre-scaleKnown traffic patterns (daily/weekly cycles)

Cooldown period: After a scaling activity, a cooldown period (default 300 seconds) prevents additional scaling events until instances are stable.

Auto Scaling Group Health Checks

Health Check TypeDescription
EC2 (default)Checks EC2 instance status and underlying hardware
ELBOffloads health checking to the load balancer
VPC LatticeUses VPC Lattice service mesh health data
EBSChecks if attached EBS volumes are reachable
CustomDefine your own health check via CloudWatch

ASG Instance Maintenance Policies

PolicyBehaviorBest For
Launch Before TerminatingNew instances launched and healthy before old ones are terminatedMaximum availability
Terminate and LaunchOld instances terminated at same time new ones launchCost efficiency
CustomDefine min/max capacity range during replacementAdvanced scenarios

Demo: Fronting an Auto Scaling Group with an ELB

Architecture:

  1. Create an Application Load Balancer with HTTPS listener (port 443) using ACM certificate
  2. Create a target group with IP target type (required for Fargate/containers)
  3. Create an Auto Scaling Group with a launch template
  4. Attach the ASG to the target group during creation
graph LR
    Internet[Internet] --> ALB[ALB\nHTTPS:443]
    ALB --> TG[Target Group]
    TG --> ASG[Auto Scaling Group]
    ASG --> EC2a[EC2 - AZ-a]
    ASG --> EC2b[EC2 - AZ-b]
    ASG --> EC2c[EC2 - AZ-c]

Demo: Creating and Using a Dynamic Scaling Policy

To create a target tracking dynamic scaling policy:

  1. Navigate to the ASG → Automatic Scaling tab
  2. Create a Dynamic Scaling Policy
  3. Choose Target tracking scaling
  4. Select metric (e.g., Average CPU Utilization)
  5. Set target value (e.g., 50%)
  6. The ASG will automatically scale to maintain the target

Auto Scaling Group Lifecycle Hooks

Lifecycle hooks allow you to perform custom actions on instances during scale-out or scale-in events. They pause the instance in a WAIT state for up to 2 hours.

Common use cases:

  • Installing custom software packages before serving traffic (scale-out hook)
  • Uploading logs to S3 before termination (scale-in hook)
sequenceDiagram
    participant ASG as Auto Scaling Group
    participant Instance as EC2 Instance
    participant Hook as Lifecycle Hook
    participant Action as Custom Action (Lambda/Script)
    
    ASG->>Instance: Launch initiated
    Instance->>Hook: Enter WAIT state
    Hook->>Action: Trigger custom action
    Action->>Action: Install software / upload logs
    Action->>ASG: complete-lifecycle-action CONTINUE
    ASG->>Instance: Move to InService

Lifecycle states:

  • Pending:WaitPending:ProceedInService (scale-out)
  • Terminating:WaitTerminating:ProceedTerminated (scale-in)

Demo: Trigger Log Storage via a Lifecycle Hook

This script runs on EC2 instances and waits for the lifecycle state to be InService, then uploads logs to S3 before completing the lifecycle action.

#!/bin/bash

# Get the IMDSv2 token
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" \
  -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

BUCKET_NAME="REPLACE_ME"
LOG_FILE_1="/var/log/audit/audit.log"
LOG_FILE_2="/var/log/cloud-init-output.log"
REGION="us-east-1"

function get_target_state {
    echo $(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s \
      http://169.254.169.254/latest/meta-data/autoscaling/target-lifecycle-state)
}

function get_instance_id {
    echo $(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s \
      http://169.254.169.254/latest/meta-data/instance-id)
}

function complete_lifecycle_action {
    instance_id=$(get_instance_id)
    group_name='REPLACE_ME'
    region='us-east-1'
    
    aws autoscaling complete-lifecycle-action \
        --lifecycle-hook-name REPLACE_ME \
        --auto-scaling-group-name $group_name \
        --lifecycle-action-result CONTINUE \
        --instance-id $instance_id \
        --region $region
}

function main {
    while true; do
        target_state=$(get_target_state)
        if [ "$target_state" = "InService" ]; then
            instance_id=$(get_instance_id)
            FILE_NAME="/home/ec2-user/${instance_id}-$(date +'%Y%m%d%H%M%S').zip"
            zip -r "${FILE_NAME}" $LOG_FILE_1 $LOG_FILE_2
            aws s3 cp $FILE_NAME s3://$BUCKET_NAME/ --region $REGION
            complete_lifecycle_action
            break
        fi
        sleep 10
    done
}

main

IAM role requirements for the EC2 instance:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:CompleteLifecycleAction",
        "s3:PutObject",
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "*"
    }
  ]
}

Improving Service Connectivity Using VPC Lattice

VPC Lattice is a managed application networking service that connects, secures, and monitors microservices within a VPC. It simplifies networking complexities when connecting microservices, operating similarly to a service mesh for Kubernetes workloads (but is not identical).

Key benefit: Reduces the networking complexity of connecting microservices without the overhead of a full service mesh implementation.

Module 2 Summary and Exam Tips

Four questions to ask on the exam:

  1. Is it highly-available and self-healing? → Consider ASGs across multiple AZs
  2. Horizontal or vertical scaling? → ASGs are for horizontal scaling
  3. Most cost-effective approach? → ASG minimum instances for standby/DR
  4. Is this event-driven or time-based? → Consider predictive or scheduled scaling

Key concepts:

ConceptDetail
ASG launch templateDefines instance configuration; supports versioning
Target trackingBest common scaling policy; maintain a metric value
Health checksEC2 (default), ELB, VPC Lattice, EBS, Custom
Lifecycle hooksUp to 2-hour wait; for custom launch/terminate actions
Launch Before TerminatingMaximum availability during replacement
Terminate and LaunchCost efficiency during replacement

Module 3 – Containers and Images

Containers and Images Overview

A container is a standard unit of software that packages code and all its dependencies so the application runs quickly and reliably across different environments.

VM vs Container architecture:

graph TD
    subgraph VM Architecture
        HW1[Physical Hardware]
        HW1 --> HYP[Hypervisor]
        HYP --> VM1[VM1\nFull OS + App]
        HYP --> VM2[VM2\nFull OS + App]
    end
    
    subgraph Container Architecture
        HW2[Physical Hardware]
        HW2 --> OS[Host OS]
        OS --> CR[Container Runtime]
        CR --> C1[Container 1\nApp only]
        CR --> C2[Container 2\nApp only]
        CR --> C3[Container 3\nApp only]
    end

Containers vs VMs:

  • Containers share the host OS kernel → lighter weight, faster startup
  • VMs have full OS per instance → more isolation, more overhead
  • Containers: portable, consistent across environments, ideal for microservices

Amazon Elastic Container Registry (ECR)

Amazon ECR stores and manages Docker images and OCI-compatible artifacts.

FeatureDetail
Repository typesPublic (anyone can pull) and Private (IAM-controlled)
Supported imagesOCI images, Docker images, OCI artifacts
Access controlIAM permissions for private repos
Lifecycle policiesAutomatically expire and clean up old images
Scan on PushAutomatically scans images for vulnerabilities on push
IntegrationNatively integrates with ECS and EKS

Exam tip: If you need to store Docker images or OCI-compatible artifacts in AWS → think ECR.

Amazon Elastic Container Service (ECS) Overview

Amazon ECS is the go-to service for launching and managing Docker containers at scale on AWS compute.

Benefits:

  • Manage 1 to thousands of containers from a single console
  • Self-healing architecture: replaces failed tasks automatically
  • Integrates with ALBs and NLBs
  • Works with Application Auto Scaling for automatic scaling

ECS Launch Types:

Launch TypeDescription
EC2Containers run on EC2 instances you manage
FargateServerless – AWS manages the compute infrastructure
ECS AnywhereExternal launch type for on-premises containers

Amazon ECS Tasks, Task Definitions, and IAM Roles

Task Definition: A JSON-formatted blueprint that specifies:

  • Launch type (EC2 or Fargate)
  • CPU and memory requirements
  • Networking settings (VPC, subnets)
  • Container image (from ECR)
  • Environment variables
  • IAM roles
  • Logging configuration

IAM Role Types:

RoleWho Uses ItPurpose
Task RoleThe application containersMake AWS API calls (S3, DynamoDB, SQS, etc.)
Task Execution RoleECS agent/service itselfPull images from ECR, retrieve secrets from Secrets Manager
graph TD
    TaskDef[Task Definition]
    TaskDef --> TR[Task Role\nassigned to containers]
    TaskDef --> TER[Task Execution Role\nused by ECS agent]
    TR --> S3[S3 GetObject]
    TR --> SQS[SQS ReceiveMessage]
    TER --> ECR[ECR Pull Image]
    TER --> SM[Secrets Manager]

Cluster: Logical grouping of tasks/services. Task: A running instance of a task definition (one or more containers). Service: Maintains a specified number of task instances; manages restarts and integrates with ELBs.

Load Balancing Amazon ECS

ECS services integrate with ELBs to distribute traffic across tasks:

  • Supported: ALB, NLB, Classic Load Balancer (CLB – avoid; no Fargate support)
  • Different services can map to different target groups on the same load balancer
  • Use Application Auto Scaling with ECS services for automatic scaling based on CloudWatch metrics (CPU, memory)

Demo: Creating an ECR Repository

  1. Navigate to ECR → Create repository
  2. Choose Private repository
  3. Enable Scan on Push
  4. After creation, push your Docker image:
# Authenticate Docker to ECR
aws ecr get-login-password --region us-east-1 | \
  docker login --username AWS \
  --password-stdin <account>.dkr.ecr.us-east-1.amazonaws.com

# Build, tag, and push the image
docker build -t my-app .
docker tag my-app:latest <account>.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
docker push <account>.dkr.ecr.us-east-1.amazonaws.com/my-app:latest

Demo: Creating a Load Balanced ECS Cluster

Dockerfile used in the demo:

FROM --platform=linux/amd64 httpd:alpine

COPY index.html /usr/local/apache2/htdocs/

Key steps:

  1. Create Task Definition → choose Fargate, .25 vCPU, .5 GB memory
  2. Assign Task Role (for CloudWatch Logs) and Task Execution Role
  3. Create Cluster → Fargate
  4. Create Service → attach to target group of existing ALB
  5. Set desired task count

Important: IP target type is required for Fargate containers when using an ALB target group.

Amazon ECS Storage

Storage TypeUse Case
EBS VolumesPersistent storage; relational databases (PostgreSQL, MySQL)
Amazon EFSShared storage between containers; CMS (WordPress), analytics
FSx for Windows File Server.NET applications needing Windows shared file storage
Docker VolumesSharing volumes between containers on the same EC2 host

Amazon Elastic Kubernetes Service (EKS) Overview

EKS is the managed Kubernetes service on AWS. Key Kubernetes concepts for the exam:

ComponentDescription
ClusterControl plane + worker nodes
NodeVirtual/physical machine hosting containerized apps
PodSmallest deployable unit; hosts containers (usually 1 container)
ServiceExposes applications running on one or more pods
JobOne-off task that runs until successful completion
CronJobScheduled job running at defined intervals
DeploymentManages rolling updates for pods

EKS Launch Types:

  • Managed Node Groups: EC2 nodes managed by EKS
  • Self-Managed Nodes: Customer manages EC2 instances
  • Fargate: Serverless pods

Amazon EKS Data Storage

StorageUse Case
EBSData persistence for pods
Amazon EFSShared Linux file systems
FSx for LustreHigh-performance computing workloads
FSx for NetApp ONTAPEnterprise NFS/SMB workloads
FSx for OpenZFSOpenZFS compatible workloads
S3Object storage for data retrieval

StorageClass: Kubernetes object defining EBS volume defaults (type, encryption, IOPS). Uses the Amazon EBS CSI driver.

Exam tip: Need highly-available, scalable, shared file system for EKS pods on Linux? → Amazon EFS

Securing Amazon EKS

EKS Pod Identities (IAM Roles for Service Accounts - IRSA):

  • Assign IAM roles to Kubernetes service accounts
  • Pods assume the role to make AWS API calls
  • Similar to EC2 instance profiles but for pods
  • Use different IAM roles for different services (frontend vs backend)

API Endpoint Access:

  • Default: publicly accessible (secured via IAM and Kubernetes RBAC)
  • Can enable private endpoint to restrict access within VPC only
  • Can configure both public and private access

Amazon EKS Distro

EKS Distro (EKS-D) is a Kubernetes distribution based on EKS, but entirely self-managed by the customer.

  • Can run anywhere: on-prem, other clouds, your laptop
  • Same versions and dependencies as EKS
  • You manage: upgrades, node deployment, pod deployment
  • Good for self-managed Kubernetes but operationally heavy

Amazon ECS and Amazon EKS Anywhere

ServiceDescription
EKS AnywhereRun EKS workloads on-premises; manages lifecycle of clusters
ECS AnywhereExternal launch type; run ECS-managed containers on your own infrastructure

EKS Anywhere key differences from EKS-D:

  • Manages more overhead (cluster lifecycle, node management)
  • Control plane is in the customer data center (not AWS)
  • Cluster updates must be done manually via CLI or Flux
  • Offers curated packages for extended Kubernetes functionality

AWS App Runner

AWS App Runner is a fully managed service that deploys directly from source code or container images to scalable, secure web applications.

graph LR
    GIT[Git Repository] -->|Push| AR[App Runner Connection]
    ECR[ECR Repository] -->|Image update| AR
    AR -->|Automatic deploy| AS[App Runner Service]
    AS --> LB[Built-in Load Balancer]
    AS --> Scale[Auto Scaling]
    AS --> Sec[Security Groups]

Key features:

  • Automatic deployment on code/image updates
  • Automatic scaling and load balancing
  • Implements security configurations automatically
  • Developer use case: Simplify deploying updated Docker/code versions
  • DevOps use case: Automatic deployments on every git push

AWS App2Container

App2Container (A2C) is a CLI tool for lifting and shifting applications into containers.

Supported applications:

  • Java applications
  • ASP.NET applications
  • Any other language → NOT supported

Process:

  1. Lists all compatible running Java and ASP.NET applications
  2. Analyzes runtime dependencies
  3. Extracts application artifacts
  4. Generates a Dockerfile
  5. Generates AWS artifacts: CloudFormation templates, ECR images, task definitions

Exam tip: A2C can create a CI/CD pipeline via AWS CodePipeline to automate builds and deployments.

Module 3 Summary and Exam Tips

ServiceKey Points
ECRStore Docker/OCI images; public or private; lifecycle rules; Scan on Push
ECSOrchestrate Docker containers; EC2, Fargate, ECS Anywhere launch types
Task RoleUsed by containers to call AWS services
Task Execution RoleUsed by ECS agent to pull images, get secrets
EKSManaged Kubernetes; pods, nodes, clusters, services
EKS Pod IdentityIAM role for service accounts; like EC2 instance profile for pods
EKS DistroSelf-managed Kubernetes distribution
EKS/ECS AnywhereRun workloads on-premises
App RunnerFully managed deploy from source/container image
App2ContainerLift-and-shift Java/ASP.NET to containers

Module 4 – AWS Lambda

AWS Lambda Overview

Serverless allows developers to focus only on code and small configuration options without managing underlying compute. Lambda is AWS’s primary serverless compute service.

Evolution:

  • Physical servers → Virtualization → Cloud (IaaS) → Serverless (focus on code only)

Key benefits:

  • No server management
  • Automatic scaling
  • Pay per invocation (no cost when not running)
  • High availability built-in
  • Supports many runtimes

Lambda limits:

  • Max execution time: 900 seconds (15 minutes)
  • Memory: 128 MB to 10,240 MB (scales proportionally with CPU)
  • Ephemeral storage (/tmp): 512 MB to 10,240 MB
  • Deployment package size: 50 MB (zipped), 250 MB (unzipped)
  • Concurrency: 1,000 concurrent executions (soft limit per account per region)

Configuring Lambda Functions

Key configuration elements:

ElementDescription
RuntimeLanguage environment (Python, Node.js, Java, .NET, Ruby, Go, etc.)
Execution RoleIAM role granting AWS permissions to the function
NetworkingOptional VPC, subnets, security groups for private resource access
Memory128 MB to 10,240 MB; CPU scales proportionally
Timeout1 second to 900 seconds
Environment VariablesKey-value pairs passed to the function
LayersShared code/libraries across functions

Available runtimes:

  • Python 3.x
  • Node.js
  • Java
  • .NET
  • Ruby
  • Go
  • Custom runtimes (bring your own)

Demo: Creating and Invoking a Lambda Function

This Lambda function converts a CSV file from S3 to JSON and uploads the result to a destination bucket:

import json
import boto3
import csv
import io
import os
import logging

logger = logging.getLogger()
logger.setLevel(logging.INFO)

s3 = boto3.client("s3")

def lambda_handler(event, context):
    bucket = event["Records"][0]["s3"]["bucket"]["name"]
    key = event["Records"][0]["s3"]["object"]["key"]

    logger.info(f"Event received => {json.dumps(event)}")
    logger.info(f"Context received => {context}")

    try:
        # Get CSV file from source bucket
        response = s3.get_object(Bucket=bucket, Key=key)
        csv_content = response["Body"].read().decode("utf-8")

        # Convert CSV to JSON
        reader = csv.DictReader(io.StringIO(csv_content))
        json_data = json.dumps([row for row in reader])

        # Get destination bucket from environment variable
        destination_bucket = os.environ.get("DESTINATION_BUCKET")

        # Save JSON to destination S3 bucket
        json_key = key.replace(".csv", ".json")
        s3.put_object(Bucket=destination_bucket, Key=json_key, Body=json_data)

        logger.info(f"Transformed {key} to {json_key}")

        return {
            "statusCode": 200,
            "body": json.dumps("CSV transformed to JSON and saved to S3!"),
        }
    except Exception as e:
        logger.error("Error during processing: %s", str(e))
        return {"statusCode": 500, "body": json.dumps({"message": "An error occurred"})}

IAM Execution Role Policy (iam-execution-role-policy.json):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["s3:GetObject"],
            "Resource": "arn:aws:s3:::SOURCE_BUCKET/*"
        },
        {
            "Effect": "Allow",
            "Action": ["s3:PutObject"],
            "Resource": "arn:aws:s3:::DESTINATION_BUCKET/*"
        }
    ]
}

Architecture:

graph LR
    Upload[User uploads CSV] --> SB[Source S3 Bucket]
    SB -->|S3 Event Trigger| Lambda[Lambda Function\nConvertFiles]
    Lambda -->|Read CSV| SB
    Lambda -->|Write JSON| DB[Destination S3 Bucket]

Lambda Function Networking

By default, Lambda functions are deployed in an AWS-owned VPC with internet access.

To access private resources (RDS, EC2 in private subnets):

  1. Configure the function for VPC access
  2. Specify: VPC, private subnets, security group
  3. Lambda must be in private subnets (not public)
graph LR
    Lambda[Lambda Function\nVPC-enabled] --> Private[Private Subnet]
    Private --> RDS[RDS Instance]
    Private --> EC2[EC2 Application]
    Private --> VPN[VPN/Direct Connect]
    VPN --> OnPrem[On-Premises API]

Best practice: Reference source security groups in target security group rules rather than IP ranges for Lambda-to-RDS access.

Demo: Configure a Lambda Function for VPC Access

This Lambda function fetches a URL from an environment variable (demonstrating access to a private web server):

import json
import logging
import os
import urllib3

logger = logging.getLogger()
logger.setLevel(logging.INFO)

http = urllib3.PoolManager()  # Connection pooling

def lambda_handler(event, context):
    try:
        url = os.environ.get("URL")  # Get URL from environment variable

        if not url:
            raise ValueError("URL not provided in the environment variables")

        logger.info(f"Fetching URL: {url}")

        response = http.request("GET", url, redirect=False)

        logger.info(f"Response => {response}")

        return {
            "statusCode": 200,
            "body": json.dumps({
                "status_code": response.status,
                "content": response.data.decode("utf-8"),
            }),
        }

    except urllib3.exceptions.HTTPError as e:
        logger.error(f"HTTP error fetching URL: {e}")
        return {"statusCode": 500, "body": json.dumps({"error": str(e)})}
    except ValueError as e:
        logger.error(str(e))
        return {"statusCode": 400, "body": json.dumps({"error": str(e)})}
    except Exception as e:
        logger.error(f"An unexpected error occurred: {e}")
        return {"statusCode": 500, "body": json.dumps({"error": "Unexpected error"})}

Lambda Function Concurrency

Concurrency = number of in-flight requests your function handles simultaneously.

Concurrency TypeDescriptionUse Case
ProvisionedPre-initialized environments; kept warm; costs moneyReduce cold starts for critical functions
ReservedSet maximum concurrent instances for a function; reserves from poolEnsure critical functions never get throttled
ThrottlingRequests dropped when no concurrency availableSet reserved concurrency to 0 to throttle manually

Default account limit: 1,000 concurrent executions (soft limit – can request increase).

Cold start: First invocation of a function requires initialization (runtime setup, code loading). Subsequent invocations reuse the execution environment (warm start).

To manually throttle a function (e.g., malicious execution suspected): Set reserved concurrency to 0.

Lambda SnapStart

Lambda SnapStart provides sub-second startup performance with zero code changes.

Supported runtimes only:

  • Java 11 or greater
  • Python 3.12 or greater
  • .NET 8 or greater

How it works:

  1. First invocation runs through the full init phase (extensions, runtime bootstrap, static code)
  2. SnapStart caches a snapshot of the memory and disk state after init
  3. Future invocations skip the init phase entirely using the cached snapshot
graph LR
    subgraph "Normal Lambda Lifecycle"
        I1[Init Phase\nSlow] --> INV1[Invoke] --> SHUT1[Shutdown]
    end
    subgraph "SnapStart Lifecycle"
        SNAP[Cached Snapshot] --> INV2[Invoke\nSub-second start] --> SHUT2[Shutdown]
    end

Note: SnapStart for Java functions is available at no extra cost (unlike Provisioned Concurrency).

Important Lambda Features

Versions

  • Versions are immutable snapshots of your function (code + runtime + memory + configuration)
  • The current working version is called $LATEST
  • Each published version gets an incrementing number (:1, :2, etc.)
  • Published versions are immutable

Aliases

  • Aliases are pointers to specific function versions
  • Can be updated to point to a different version
  • Access via alias ARN
  • Can split traffic between two versions (e.g., 90% v1, 10% v2 for canary deployments)
graph LR
    PROD[Alias: prod] --> V3[Version 3\n90% traffic]
    PROD -->|10% canary| V4[Version 4]
    DEV[Alias: dev] --> LATEST[$LATEST]

Common Lambda triggers (event source mappings):

  • S3 bucket event notifications
  • Kinesis Data Streams / Data Firehose
  • SNS / SQS
  • Amazon EventBridge
  • API Gateway
  • DynamoDB Streams
  • Cognito

Module 4 Summary and Exam Tips

Three questions to ask on the exam:

  1. Do you need servers? If yes → avoid Lambda
  2. Is it better for containers? If yes → use ECS or EKS
  3. How long does the code need to run? If > 15 minutes → NOT Lambda

Key concepts:

ConceptDetail
Execution roleIAM role for AWS API calls from Lambda
Max timeout900 seconds / 15 minutes
Concurrency limit1,000 default (soft); can request increase
VPC accessDeploy in private subnets; reference SG for RDS/EC2
SnapStartJava 11+, Python 3.12+, .NET 8+; sub-second cold starts
Provisioned concurrencyKeep functions warm; costs money
Reserved concurrencyGuarantee concurrency for critical functions
LayersShared libraries across functions

Module 5 – Event-driven Architectures

Amazon RDS Events

Amazon RDS events are near real-time notifications about events on your monitored RDS resources (instances, clusters, snapshots).

Important characteristics:

  • Do not contain actual database data
  • Event categories: DB instance, snapshot, security group changes, etc.
  • Can publish to: SNS topics or Amazon EventBridge
  • Common pattern: EventBridge → trigger Lambda for custom logic

Example RDS events:

  • Snapshot created
  • Instance shut down
  • Cluster failover
graph LR
    RDS[RDS Instance] -->|Event: Low storage| SNS[SNS Topic]
    SNS --> Lambda[Lambda Function]
    Lambda --> Action[Auto-increase storage\nor Alert team]
    RDS -->|Event| EB[EventBridge]
    EB --> Lambda2[Lambda Function\nCustom logic]

Amazon S3 Events

S3 event notifications allow you to receive notifications when specific events occur in your buckets.

Common event types (most tested):

  • s3:ObjectCreated:* (Put, Post, Copy, CompleteMultipartUpload)
  • s3:ObjectRemoved:*
  • s3:LifecycleExpiration
  • s3:Replication

Supported destinations:

  • SNS topic
  • SQS queue (Standard queues only – not FIFO)
  • Lambda function
  • Amazon EventBridge

Exam tip: S3 → SQS only supports Standard queues (not FIFO).

Amazon EventBridge

Amazon EventBridge (formerly CloudWatch Events) is a serverless event bus that passes events from a source to an endpoint.

Key components:

ComponentDescription
EventA recorded change in an AWS environment, SaaS partner, or custom application (JSON object)
RuleCriteria to match incoming events and route to targets
TargetWhere the event is sent (Lambda, SNS, SQS, API Gateway, etc.)
Event BusRouter that receives events, evaluates rules, delivers to targets

Rule trigger types:

  • Event Pattern: Define source + pattern; triggers when pattern matches
  • Scheduled: Cron-based recurring schedule

Note: Some AWS services are best effort (try to deliver) while others are durable (guaranteed delivery).

Amazon EventBridge Event Buses

Bus TypeDescription
DefaultEvery AWS account has one; automatically receives all compatible AWS service events
CustomCreated for custom workloads; cross-account event centralization; PII vs non-PII separation
PartnerReceives events from SaaS partners (Datadog, Sumo Logic, etc.)

Custom buses require a resource policy to allow other accounts or custom applications to send events.

Amazon EventBridge Events

EventBridge events are always JSON objects with consistent top-level fields:

{
  "version": "0",
  "id": "abcd-1234",
  "source": "aws.health",
  "account": "123456789012",
  "time": "2024-01-15T12:00:00Z",
  "region": "us-east-1",
  "resources": ["arn:aws:ec2:us-east-1:123456789012:instance/i-1234"],
  "detail-type": "AWS Health Event",
  "detail": {
    "eventTypeCode": "AWS_EC2_INSTANCE_STORE_DRIVE_PERFORMANCE_DEGRADED"
  }
}

One rule can route to multiple targets simultaneously (e.g., Lambda + SNS topic at the same time).

Demo: Trigger Workloads Using Amazon EventBridge

Architecture: EventBridge rule → Lambda (restart stopped EC2) + SNS (email notification)

Lambda function to restart a stopped EC2 instance:

import boto3
import logging

ec2_client = boto3.client('ec2')

logger = logging.getLogger()
logger.setLevel(logging.INFO)

def lambda_handler(event, context):
    try:
        # Extract instance ID from the EventBridge event
        detail = event.get("detail", {})
        instance_id = detail.get("instance-id")

        if not instance_id:
            raise ValueError("No instance-id found in the event.")

        logger.info(f"Instance ID extracted: {instance_id}")

        # Check current instance state
        describe_response = ec2_client.describe_instances(InstanceIds=[instance_id])
        instance_state = (
            describe_response['Reservations'][0]['Instances'][0]['State']['Name']
        )

        logger.info(f"Current instance state: {instance_state}")

        if instance_state == 'stopped':
            logger.info(f"Starting instance {instance_id}...")
            start_response = ec2_client.start_instances(InstanceIds=[instance_id])
            logger.info(f"Start response: {start_response}")
        else:
            logger.info(f"Instance {instance_id} is not stopped. No action taken.")

    except Exception as e:
        logger.error(f"An error occurred: {str(e)}")
        raise e

EventBridge rule event pattern (event-example.json):

{
  "source": ["aws.ec2"],
  "detail-type": ["EC2 Instance State-change Notification"],
  "detail": {
    "state": ["stopped"]
  }
}

Module 5 Summary and Exam Tips

ConceptKey Points
RDS EventsNear real-time notifications; no database data; publish to SNS/EventBridge
S3 EventsMonitor Object Created/Removed; destinations: SNS, SQS (Standard only), Lambda, EventBridge
EventBridgeTrigger actions based on account events; event patterns or scheduled rules
Event BusesDefault (every account), Custom (cross-account/custom apps), Partner (SaaS)
RulesOne rule → multiple targets simultaneously

When to think EventBridge: You want to trigger an action based on something happening in your account. Common use case: automate responses to API calls or resource state changes.


Module 6 – Amazon API Gateway, AWS AppSync, and AWS X-Ray

Amazon API Gateway Overview

Amazon API Gateway is a fully managed service to publish, create, maintain, monitor, and secure custom APIs.

Key characteristics:

  • Integrates natively with Lambda, custom HTTP endpoints, and virtually any AWS service
  • Compatible with Swagger and OpenAPI frameworks
  • Can transform and validate requests and responses

Endpoint types:

Endpoint TypeDescriptionUse Case
Edge-OptimizedDefault; deployed globally via CloudFront POPs; reduces latency for global usersGlobal APIs
RegionalDeployed to a specific region; use with Route 53 latency routing for multi-regionRegional traffic
PrivateOnly accessible within a VPC via VPC endpointsInternal APIs

Amazon API Gateway Authentication and Security

Access control options:

MethodDescription
Resource PoliciesControl which principals can call the API; supports IP ranges, VPCs, specific accounts
Public AccessEdge-optimized APIs are public by default
IAM PermissionsUse IAM to control API access
Lambda AuthorizerCustom Lambda function for token-based authentication
Cognito User Pool AuthorizerUse Cognito user pools for JWT-based authentication
Usage Plans + API KeysControl and meter API usage per client

Resource policy use case: Deny API traffic from specific IP ranges/CIDR blocks.

Private APIs require both a resource policy AND a VPC endpoint policy for full security control.

Amazon API Gateway Integrations

Common exam scenarios:

1. API Gateway + Lambda + DynamoDB (Serverless stack):

graph LR
    Client --> CF[CloudFront\nStatic Content]
    CF --> S3[S3 Website]
    Client --> APIGW[API Gateway]
    APIGW --> Lambda[Lambda Function]
    Lambda --> DDB[DynamoDB]

2. API Gateway → SQS (Buffered messaging):

graph LR
    Client --> APIGW[API Gateway\nPOST /messages]
    APIGW -->|Execution Role| SQS[Amazon SQS Queue]
    SQS --> Consumer[Consumer Application]

3. API Gateway → Kinesis (Stream ingestion):

graph LR
    IoT[IoT Devices] --> APIGW[API Gateway]
    APIGW --> KDS[Kinesis Data Streams]
    KDS --> KDF[Data Firehose]
    KDF --> S3[S3 Bucket]

Amazon API Gateway Deployments and Versions

Deployment: Publishing an API to make it publicly accessible. Stage: A snapshot of the API (methods, responses, integrations, settings). Examples: dev, test, prod.

Stage features:

  • Caching: Speed up latency
  • Throttling: Usage plans for rate limiting
  • Logging: CloudWatch integration
  • Canary testing: Split traffic between versions (e.g., 10% to new version)

Demo: Creating a REST API Using Amazon API Gateway

Lambda function that fetches a random quote from the internet:

import boto3
from botocore.exceptions import ClientError
import http.client
import json
import os
import logging

logger = logging.getLogger(__name__)
logger.setLevel(logging.INFO)

def lambda_handler(event, context):
    logger.info(f"Event => {event}")

    try:
        # Get a random quote from the internet
        conn = http.client.HTTPSConnection("zenquotes.io")
        conn.request("GET", "/api/random")
        response = conn.getresponse()

        if response.status == 200:
            data = json.loads(response.read().decode())
            quote = data[0]["q"]
            author = data[0]["a"]

            return {"quote": quote, "author": author}
        else:
            return {"body": f"Failed to fetch a quote. Error code: {response.status}"}

    except Exception:
        return {"body": "An exception occurred"}

Steps to create the REST API:

  1. Go to API Gateway → Create API → REST API
  2. Create a resource (e.g., /quote)
  3. Create a method (GET) → Integration: Lambda Function
  4. Enable Lambda proxy integration
  5. Deploy to a stage (e.g., test)
  6. Test using the provided Invoke URL

Demo: Using TLS and Custom Domain Names for API Gateway

Steps to configure custom domain with TLS:

  1. Request a certificate in ACM for your domain
  2. Validate using Route 53 DNS validation
  3. Create a Custom Domain Name in API Gateway
  4. Create an API Mapping linking the domain to your stage
  5. Create a Route 53 alias record pointing to the API Gateway endpoint
  6. Test with custom URL

SQS integration requires an API Gateway execution role with sqs:SendMessage permissions:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "sqs:SendMessage",
    "Resource": "arn:aws:sqs:REGION:ACCOUNT:QUEUE_NAME"
  }]
}

AWS AppSync

AWS AppSync is a serverless GraphQL interface for developers.

Key characteristics:

  • Specifically for GraphQL APIs (key exam indicator)
  • Fetches data quickly by combining from multiple sources (Lambda, DynamoDB, etc.)
  • Authentication: API keys, IAM, Cognito, OpenID Connect, Lambda authorizer
  • Supports only JavaScript or TypeScript for backend logic

Exam tip: If you see a requirement for GraphQL in AWS → immediately think AWS AppSync.

Debug Applications Using AWS X-Ray

AWS X-Ray collects data about requests and provides tools to view, filter, and gain insights to identify issues and optimize applications.

Key concepts:

  • Traces: End-to-end view of a request across multiple services
  • Trace ID: Unique identifier to track a specific request
  • Segments: Data about a unit of work (e.g., Lambda invocation, DynamoDB call)
  • Subsegments: More granular units within a segment
  • X-Ray Daemon: Process that listens for raw trace data and sends to X-Ray service

Integrated services (can auto-instrument):

  • API Gateway
  • Lambda
  • EC2 (via SDK and daemon)
  • ECS
  • Elastic Beanstalk

Use X-Ray when: You need to trace requests across distributed microservices to identify performance bottlenecks, errors, or latency.

Module 6 Summary and Exam Tips

ServiceKey Points
API GatewayCreate/maintain/publish custom APIs; integrate with Lambda, HTTP, any AWS service
Endpoint typesEdge-optimized (default, global), Regional, Private
API AuthPublic, IAM, Lambda Authorizer, Cognito User Pool, Resource Policy
AppSyncGraphQL only; JavaScript/TypeScript only
X-RayDistributed tracing; traces, segments, daemon
StagesDeployments go to named stages; support caching, canary, throttling

Module 7 – Serverless Authentication with Amazon Cognito

Amazon Cognito Overview

Amazon Cognito is an AWS-native identity provider offering authentication, authorization, and user management for web and mobile applications.

Key characteristics:

  • Serverless (no infrastructure to manage)
  • Users can sign in with username/password or social providers (Facebook, Google, Amazon, Apple)
  • Scales to millions of users
  • No custom authentication code required

Two main components:

  1. User Pools – User directories for sign-up/sign-in to your applications
  2. Identity Pools – Grant users access to AWS services via temporary credentials

Amazon Cognito User Pools

User Pools provide sign-up and sign-in for your application users. Upon successful authentication, they receive a JSON Web Token (JWT).

Features:

  • Basic authentication (username/password)
  • Federated identities (Google, Facebook, Amazon, Apple)
  • Multi-Factor Authentication (MFA)
  • Self-service password reset
  • Email/phone verification
  • Adaptive Authentication: Blocks suspicious sign-ins or requires additional factors based on risk level
graph LR
    User[Mobile/Web User] --> UP[Cognito User Pool]
    UP -->|JWT Token| App[Your Application\nAPI Gateway]
    App -->|Authorize request| UP

Exam scenario – API Gateway + Cognito User Pool:

  1. User authenticates with Cognito User Pool → receives JWT
  2. User includes JWT in API Gateway request
  3. API Gateway uses Cognito authorizer to validate JWT
  4. If valid → request proceeds to Lambda back end

Amazon Cognito Identity Pools

Identity Pools grant authenticated users access to AWS services via temporary credentials (STS).

Flow:

  1. User authenticates via third-party IDP or Cognito User Pool
  2. Identity Pool maps user to an IAM role
  3. User receives temporary credentials to access AWS services directly

Features:

  • Assign different IAM roles based on user characteristics (premium vs free tier)
  • Guest access (unauthenticated): Users can receive heavily restricted IAM permissions without logging in
  • Each role has distinct permission sets
graph LR
    User[User] --> IDP[3rd-party IDP\nor User Pool]
    IDP --> IP[Cognito Identity Pool]
    IP -->|Role A| Premium[Premium Role\nFull S3 access]
    IP -->|Role B| Free[Free Role\nLimited S3 access]
    IP -->|Role C| Guest[Guest Role\nRead-only access]

Key difference:

  • User Pool → grants access to your application
  • Identity Pool → grants access to AWS services

Module 7 Summary and Exam Tips

ConceptKey Points
CognitoServerless identity provider; auth/authz/user management
User PoolsSign-up/sign-in; JWT tokens; MFA; adaptive authentication
Identity PoolsTemporary AWS credentials; IAM role mapping
User Pool auth optionsBasic auth, Google, Facebook, Amazon, Apple
Identity Pool auth optionsThird-party IDPs or Cognito User Pools

Common exam trap: User pools grant access to YOUR APP. Identity pools grant access to AWS SERVICES. Know the difference.


Module 8 – AWS CloudFormation and Infrastructure-as-Code Services

Infrastructure as Code Review

Infrastructure as Code (IaC) is the ability to provision and support infrastructure using code instead of manual processes.

Benefits:

  • Quick duplication across regions and accounts
  • Avoid human errors through templated deployments
  • Integrate with source control for change tracking
  • Implement consistent resource tagging for cost tracking

AWS CloudFormation Overview

AWS CloudFormation allows declaring infrastructure as code for repeatable, automated deployments via stacks.

Key characteristics:

  • Free service (pay only for resources created)
  • Define templates in JSON or YAML
  • Resources are deployed as a stack
  • Supports automated resource tagging + stack identifier tag
  • Not all resources supported (use custom resources for unsupported ones)
  • Perfect for identical infrastructure across multiple accounts/regions

Template structure:

AWSTemplateFormatVersion: "2010-09-09"  # Always this value
Description: "Description of the template"

Parameters:
  ParamName:
    Description: "What this parameter does"
    Type: String
    Default: "DefaultValue"

Mappings:
  # Key-value pairs for environment-specific configs

Conditions:
  # Logical conditions for conditional resource creation

Resources:  # Required section
  ResourceLogicalID:
    Type: "AWS::ServiceName::ResourceType"
    Properties:
      PropertyKey: PropertyValue
      Tags:
        - Key: Name
          Value: !Ref ParamName

Outputs:
  OutputKey:
    Value: !Ref ResourceLogicalID
    Export:
      Name: "ExportedValueName"

AWS CloudFormation Service Roles

Service roles control what permissions CloudFormation has when deploying stacks.

  • No service role set: CloudFormation uses temporary credentials of the user deploying the stack
  • Service role set: CloudFormation uses the specified role’s permissions (enables least-privilege)

Use case: Limit CloudFormation to only create specific EC2 resources; prevent it from creating VPCs or databases.

Demo: Writing an AWS CloudFormation Template

Multi-VPC CloudFormation template (partial):

AWSTemplateFormatVersion: "2010-09-09"
Description: "Template with two VPCs, VPC Peering, and Security Groups allowing SSH"

Parameters:
  VpcAName:
    Description: The name of the first VPC
    Type: String
    Default: VPC-A
  VpcBName:
    Description: The name of the second VPC
    Type: String
    Default: VPC-B

Resources:
  VPC:
    Type: "AWS::EC2::VPC"
    Properties:
      CidrBlock: "10.0.0.0/16"
      EnableDnsHostnames: true
      EnableDnsSupport: true
      Tags:
        - Key: "Name"
          Value: !Ref VpcAName

  PublicSubnet1:
    Type: "AWS::EC2::Subnet"
    Properties:
      CidrBlock: "10.0.0.0/24"
      MapPublicIpOnLaunch: true
      VpcId: !Ref VPC
      Tags:
        - Key: "Name"
          Value: "Public Subnet AZ A"
      AvailabilityZone: !Select ["0", !GetAZs !Ref "AWS::Region"]

  PublicSubnet2:
    Type: "AWS::EC2::Subnet"
    Properties:
      CidrBlock: "10.0.1.0/24"
      MapPublicIpOnLaunch: true
      VpcId: !Ref VPC
      Tags:
        - Key: "Name"
          Value: "Public Subnet AZ B"
      AvailabilityZone: !Select ["1", !GetAZs !Ref "AWS::Region"]

CloudFormation intrinsic functions reference:

FunctionDescription
!RefReference a parameter or resource
!SubString substitution
!GetAttGet an attribute from a resource
!SelectSelect from a list
!GetAZsGet list of AZs in a region
!IfConditional selection
!JoinJoin strings
!ImportValueImport exported stack value

Deleting AWS CloudFormation Stacks

Protection mechanisms:

FeatureDescription
Termination PolicyPrevents the entire stack from being deleted; disabled by default
Stack PolicyPrevents specific resources from being updated or deleted
Disable RollbackOn failure, stay at current point instead of rolling back

Stack policy example — allow updates only on non-critical resources:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "Update:*",
      "Principal": "*",
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "Update:*",
      "Principal": "*",
      "Resource": "LogicalResourceId/ProductionDatabase"
    }
  ]
}

Organizational Deployments via StackSets

CloudFormation StackSets create, update, and delete stacks across multiple accounts and regions in a single operation.

Key concepts:

ConceptDetail
Admin accountDelegated administrator; manages templates
Target accountsAccounts where stack instances are deployed
Stack instancesReferences to stacks in each account/region
Regional scopeStacks are regional; StackSets deploy to each specified region

Permissions models:

ModelDescription
Self-ManagedManually create IAM roles in admin and target accounts
Service-ManagedAWS Organizations manages permissions automatically
graph TD
    Admin[Admin Account\nStackSet] -->|Deploy| T1[Target Account 1\nus-east-1]
    Admin -->|Deploy| T2[Target Account 1\nus-west-2]
    Admin -->|Deploy| T3[Target Account 2\nus-east-1]

Demo: Deploying a StackSet

  1. Navigate to CloudFormation → StackSets → Create StackSet
  2. Upload template (same as regular stacks)
  3. Specify stack name and parameters
  4. Specify accounts (by account ID or organizational unit)
  5. Specify regions (deploy to all selected regions with single operation)

Preview Infrastructure Changes Using Change Sets

Change Sets preview the impact of proposed template changes on existing resources.

Included in change set output:

  • Resource replacements
  • Resource deletions
  • Property updates (tags, configurations)

Workflow:

  1. Create change set (upload new template or modify existing)
  2. Review proposed changes (additions, modifications, deletions)
  3. Execute the change set to apply changes, OR delete it to discard

Best practice: Always use change sets before updating production stacks to understand the impact.

Demo: Creating a Stack Change Set

  1. Select existing stack → Stack actions → Create change set
  2. Choose to Edit in Infrastructure Composer or upload new template
  3. Review the change summary (blue = new, orange = updated, red = deleted)
  4. If acceptable → Execute change set

CloudFormation Custom Resources

Custom Resources allow custom logic in CloudFormation templates for:

  • Actions not natively supported by CloudFormation
  • Complex logic beyond standard resource types
  • Examples: executing database migration scripts, calling external APIs, initializing databases after RDS creation

Note: Custom resources are moving more toward developer-focused exams but can still appear.

CloudFormation cfn-init

cfn-init (CloudFormation init) is a helper script for defining initialization tasks on EC2 instances.

Key difference from User Data:

  • User Data: Updates trigger full instance replacement
  • cfn-init: Updates instances in place without replacement

Common use cases:

  • Getting metadata from CloudFormation
  • Installing packages on EC2 instances
  • Writing files to EBS volumes
  • Starting/stopping/enabling OS services

Usage in template:

Resources:
  MyEC2Instance:
    Type: AWS::EC2::Instance
    Metadata:
      AWS::CloudFormation::Init:
        config:
          packages:
            yum:
              httpd: []
          services:
            sysvinit:
              httpd:
                enabled: true
                ensureRunning: true
    Properties:
      UserData:
        Fn::Base64: !Sub |
          #!/bin/bash
          /opt/aws/bin/cfn-init -v \
            --stack ${AWS::StackName} \
            --resource MyEC2Instance \
            --region ${AWS::Region}

Sharing Templates Using AWS Service Catalog

AWS Service Catalog allows organizations to create catalogs of IT services (pre-approved CloudFormation templates).

Purpose:

  • Centrally manage commonly deployed services
  • Ensure governance and compliance
  • End users can only deploy pre-approved catalog items
  • Catalogs deployed using service roles

What can be in a catalog:

  • Approved AMIs
  • Specific EC2 instance types
  • Specific RDS instances and engine versions
  • Any CloudFormation-supported resources

Self-Service Templates with AWS Proton

AWS Proton creates and manages infrastructure and deployment tooling for serverless and container-based applications.

Key features:

  • Automates IaC provisioning AND deployment methods
  • Defines standardized infrastructure for serverless/container apps
  • Automatically provisions resources AND configures CI/CD pipelines
  • Supports CloudFormation templates and Terraform providers

Module 8 Summary and Exam Tips

Four questions to ask on the exam:

  1. Can/should you automate this? → If yes, what kind of automation?
  2. Is the automation repeatable? Does it need to be? → Maybe StackSets
  3. Does it work cross-region or cross-account? → StackSets
  4. What service is the best fit? (CloudFormation vs Service Catalog vs Proton)
ServiceWhen to Use
CloudFormationVersion-controlled templates; automating repeatable deployments
StackSetsSame infrastructure across multiple accounts/regions
Service CatalogPre-approved templates for end users; governance
ProtonStandardized IaC + CI/CD for serverless/container teams
Change SetsPreview changes to existing stacks before applying
cfn-initIn-place instance initialization without replacement
Custom ResourcesNon-natively supported logic in CloudFormation

Module 9 – AWS Elastic Beanstalk

Reviewing Platform-as-a-Service (PaaS)

Platform-as-a-Service (PaaS) provides a complete development and deployment environment in the cloud.

Service ModelCustomer ManagesAWS Manages
IaaS (EC2)Application, data, OS, middleware, runtimeHypervisor, hardware, networking
PaaS (Beanstalk)Application + data onlyRuntime, middleware, OS, hardware
SaaSNothing (just uses the service)Everything

AWS Elastic Beanstalk Overview

Elastic Beanstalk is a managed PaaS offering where you only manage the application code.

What Beanstalk manages for you:

  • EC2 instances
  • Application Load Balancer
  • Auto Scaling Groups
  • Optionally: RDS database

Supported platforms:

  • Java
  • .NET
  • Node.js
  • PHP
  • Python
  • Ruby
  • Go
  • Docker

AWS Elastic Beanstalk Environments

Key components:

ComponentDescription
ApplicationLogical collection of all components (environments, versions, configurations)
Application VersionA labeled iteration of code pointing to an S3 object
EnvironmentAWS resources running a specific application version (1:1 relationship)
Environment TierDefines the type of application and resources created

Environment Tiers:

TierDescriptionResources Created
Web ServerHosts web applicationsCNAME URL (Route 53), ELB, Auto Scaling Group of EC2
WorkerProcesses background tasksAuto Scaling Group, SQS Queue (reads messages to scale)

AWS Elastic Beanstalk Deployments

Environment Types:

  • Single Instance: One EC2 instance with an Elastic IP; good for development only
  • Load-Balanced: ELB + Auto Scaling Group; for production

Deployment Policies:

PolicyDescriptionDowntimeSpeed
All-at-onceDeploy to all instances simultaneouslyBrief downtimeFastest
RollingDeploy to batches of instances sequentiallyNoneSlower
Rolling with additional batchLaunch new instances, deploy, then remove oldNoneSlower
ImmutableLaunch new instances, test, then swapNoneSlowest
Blue/Green (URL swap)Create new environment, deploy, then swap DNSNoneSlowest

Exam tip: URL swapping is the key concept for Blue/Green deployments in Beanstalk. This comes up frequently on the exam.

graph LR
    subgraph "Blue/Green Deployment"
        DNS[Route 53\nCNAME] -->|Before| Blue[Blue Environment\nv1.0]
        DNS -->|After swap| Green[Green Environment\nv2.0]
    end

Module 9 Summary and Exam Tips

ConceptKey Points
BeanstalkOne-stop PaaS; upload code, Beanstalk handles infrastructure
Web server tierCNAME URL, ELB, ASG for hosting web apps
Worker tierSQS queue-based; ASG scales with message count
Single instanceDevelopment only; one EC2 + EIP
Load-balancedProduction; ASG + ELB + URL
Blue/GreenURL/CNAME swap; zero downtime; key exam topic
All-at-onceFastest but causes brief downtime
ImmutableSlowest but zero downtime; safest

Module 10 – AWS Systems Manager

AWS Systems Manager Overview

AWS Systems Manager is a suite of tools for viewing, controlling, and automating managed nodes within AWS, other cloud providers, and on-premises.

Requirements for managed nodes:

  1. SSM Agent installed, configured, and connected
  2. Network connectivity to the Systems Manager service
  3. IAM permissions (attach AmazonSSMManagedInstanceCore policy)

Supported targets:

  • EC2 instances
  • Azure VMs
  • On-premises servers
  • VMware VMs

Patch Manager and Maintenance Windows

Patch Manager automates patching of managed instances.

FeatureDetail
Windows supportService packs, OS patches
Linux supportMinor version upgrades, yum/apt packages
Compute supportEC2, edge devices, on-prem servers, third-party VMs
ScanIdentify missing patches, generate report
Scan and InstallIdentify AND install patches automatically
Patch baselineDefine which patches to approve/reject
Patch policyDefine patching rules

Maintenance Windows define schedules for performing potentially disruptive actions (patching, updates) on managed nodes.

Automation and Documents

Automation simplifies maintenance, deployment, and remediation tasks.

Types of automation:

  • Documents (Runbooks): Define the tasks to execute
  • AWS predefined automations: Ready-to-use for common tasks
  • Custom automations: Build on top of predefined ones

Example automation tasks:

  • Disable public access for security groups
  • Restart EC2 instances (with or without approval)
  • Configure S3 bucket logging

Triggering automations:

  • Maintenance Windows (scheduled)
  • EventBridge (event-based or scheduled)
  • AWS Config rules (compliance remediation)
  • Manually via console/CLI

Run Command

Run Command remotely and securely manages managed nodes – executes scripts or commands across multiple instances simultaneously.

Key characteristics:

  • Executes PowerShell, Bash scripts, or one-time commands
  • Connects via SSM Agent (no SSH/RDP ports required)
  • Target by tags, instance IDs, or resource groups
  • Logs to S3 and CloudWatch Logs

Security note: Sensitive data in commands will be logged in plain text – handle carefully.

Triggering:

  • Manual (console or CLI)
  • EventBridge events
  • Maintenance Windows

Demo: Executing Remote Scripts via Run Command

Demo setup used CloudFormation to deploy 3 EC2 instances tagged with Application: Web.

# run_command_1.sh - Update packages on Amazon Linux
sudo yum update -y
sudo yum install -y httpd
sudo systemctl start httpd
sudo systemctl enable httpd

# Verify Apache is running
sudo systemctl status httpd
# run_command_2.sh - Echo instance metadata
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" \
  -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

INSTANCE_ID=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" \
  http://169.254.169.254/latest/meta-data/instance-id)

echo "Instance ID: $INSTANCE_ID"
echo "Script executed successfully!"

Parameter Store

Parameter Store provides secure, hierarchical storage for configuration data and secrets.

Parameter Types:

TypeDescriptionExample
StringPlain text valueAMI IDs, usernames, config values
StringListComma-separated listPatch days (Mon,Tue,Wed)
SecureStringKMS-encrypted valuePasswords, API keys, secrets

Hierarchy structure:

/dev/username
/dev/password
/dev/database_host
/prod/username
/prod/password
/prod/database_host

Access control: IAM policies can be scoped to specific paths (e.g., UserA can only access /dev/* parameters).

Demo: Creating and Using Parameters in Parameter Store

Python script to retrieve parameters:

import boto3
from botocore.exceptions import ClientError

def get_parameter(name, with_decryption=False):
    """Fetch a single parameter from Parameter Store."""
    ssm = boto3.client("ssm")
    try:
        response = ssm.get_parameter(
            Name=name,
            WithDecryption=with_decryption
        )
        return response["Parameter"]["Value"]
    except ClientError as e:
        print(f"Failed to get parameter {name}: {e}")
        return None

def get_parameters(name_list):
    """Fetch multiple parameters from Parameter Store."""
    ssm = boto3.client("ssm")
    try:
        response = ssm.get_parameters(
            Names=name_list,
            WithDecryption=True
        )
        parameters = {p["Name"]: p["Value"] for p in response["Parameters"]}
        invalid_params = response.get("InvalidParameters", [])
        if invalid_params:
            print(f"Invalid parameters: {invalid_params}")
        return parameters
    except ClientError as e:
        print(f"Failed to get parameters {name_list}: {e}")
        return None

def main():
    # Fetch /dev/username (String)
    username = get_parameter("/dev/username")
    print(f"Username: {username}")

    # Fetch /dev/application_patch_days (StringList)
    patch_days = get_parameter("/dev/application_patch_days")
    if patch_days:
        patch_days_list = patch_days.split(",")
        print(f"Patch Days: {patch_days_list}")

    # Fetch /dev/password (SecureString - needs decryption)
    password = get_parameter("/dev/password", with_decryption=True)
    print(f"Password: {password}")

if __name__ == "__main__":
    main()

AWS CLI commands for Parameter Store:

# Get dev parameters
username=$(aws ssm get-parameter \
  --name "/dev/username" \
  --query "Parameter.Value" --output text)

patch_days=$(aws ssm get-parameter \
  --name "/dev/patch_days" \
  --query "Parameter.Value" --output text)

# Get SecureString (requires --with-decryption)
password=$(aws ssm get-parameter \
  --name "/dev/password" \
  --with-decryption \
  --query "Parameter.Value" --output text)

echo "Username: $username"
echo "Patch Days: $patch_days"
echo "Password: $password"

Module 10 Summary and Exam Tips

ToolPurpose
Patch ManagerAutomatically patch Windows and Linux managed nodes
Maintenance WindowsSchedule for potentially disruptive actions
AutomationRunbooks for maintenance/remediation; triggers via EventBridge/Config
Run CommandExecute scripts/commands across managed nodes at scale
Parameter StoreSecure storage for config data and secrets
Session ManagerSecure SSH/RDP replacement (covered in another course)

Two requirements for managed nodes:

  1. SSM Agent installed + network connectivity
  2. IAM permissions (AmazonSSMManagedInstanceCore)

Module 11 – Amazon SQS and Amazon SNS

Decoupled Architectures

Tightly coupled architecture: Components depend heavily on each other. One component failure can cascade.

Loosely coupled (decoupled) architecture: Components are less dependent. Changes and failures have minimal impact. Uses messaging queues as buffers between layers.

graph TD
    subgraph Tightly Coupled
        FE1[Frontend] -->|Direct call| BE1[Backend]
    end
    
    subgraph Loosely Coupled
        FE2[Frontend] --> MQ[Message Queue\nSQS]
        MQ --> BE2[Backend]
    end

Benefits of decoupling:

  • Resilience to failures
  • Independent scaling
  • Asynchronous processing
  • Buffering during traffic spikes

Amazon SQS Overview

Amazon SQS (Simple Queue Service) is the go-to messaging queue service for asynchronous processing.

Key characteristics:

  • Pull-based system (consumers poll the queue)
  • Producer sends → Queue buffers → Consumer pulls
  • Builds a buffer between components
  • Standard: at-least-once delivery, best-effort ordering
  • FIFO: exactly-once delivery, strict ordering
graph LR
    Producer[Producer\nApplication] -->|Send message| SQS[SQS Queue]
    SQS -->|Poll| Consumer1[Consumer 1\nEC2 / Lambda]
    SQS -->|Poll| Consumer2[Consumer 2\nEC2 / Lambda]

Amazon SQS Queues

FeatureStandard QueueFIFO Queue
DeliveryAt-least-once (possible duplicates)Exactly-once
OrderingBest-effort (not guaranteed)Strict FIFO ordering
ThroughputNearly unlimited300 msg/sec; 3,000 with batching
DeduplicationNot supportedContent-based or deduplication ID
Max message size256 KB256 KB
StorageMulti-AZMulti-AZ
Use caseHigh throughput, duplicates okOrdered processing, no duplicates

Tip: FIFO queue names must end in .fifo

SQS Queue Attributes

AttributeDescriptionDefaultMax
Delivery DelayDelay before message becomes visible0 seconds15 minutes
Message RetentionHow long message stays in queue4 days14 days
Visibility TimeoutTime a consumed message is hidden from other consumers30 seconds12 hours
Max Message SizeMaximum size per message256 KB256 KB
Short PollingDefault; immediate return even if queue emptyDefault
Long PollingWait up to 20 seconds for messages; reduces empty responsesOff20 seconds

Important: Short polling causes empty responses and increased API call costs. Use long polling to reduce costs.

Extended Client Library: For messages > 256 KB, store payload in S3 and put the S3 reference in the SQS message.

Example Architecture: Scaling ASGs Using Amazon SQS

graph LR
    API[API Gateway] --> SQS[SQS Queue]
    SQS -->|ReceiveMessage| ASG[Auto Scaling Group\nEC2 Instances]
    SQS -->|ApproximateNumberOfMessages| CW[CloudWatch Alarm]
    CW -->|Scale Out trigger| ASG
    ASG -->|Process & DeleteMessage| SQS

How it works:

  1. Messages arrive via API Gateway to the SQS queue
  2. EC2 instances in the ASG poll the queue, process messages, delete them
  3. CloudWatch monitors ApproximateNumberOfMessages metric
  4. When metric breaches threshold, CloudWatch alarm triggers ASG scale out
  5. When queue drains, alarm clears and ASG scales in

Dead Letter Queues

Dead Letter Queues (DLQs) capture messages that cannot be processed successfully.

Key facts:

  • DLQ for a FIFO queue must also be a FIFO queue
  • DLQ for a standard queue must be a standard queue
  • Works with both SQS and SNS
  • Messages are moved to DLQ after exceeding the maxReceiveCount

Use cases:

  • Debugging failed message processing
  • Analyzing problematic message contents
  • Long-term message retention for investigation (up to 14 days)
graph LR
    Producer --> SQS[SQS Queue]
    SQS -->|Normal processing| Consumer[Consumer]
    SQS -->|After N failures| DLQ[Dead Letter Queue]
    DLQ --> Debug[Debug / Analysis]

Demo: Sending Messages to an Amazon SQS Queue

Lambda function to process SQS messages:

import json

def lambda_handler(event, context):
    print("Lambda function triggered by SQS Standard Queue.")

    for record in event['Records']:
        message_body = record['body']
        message_id = record['messageId']
        receipt_handle = record['receiptHandle']
        attributes = record.get('attributes', {})

        print("============================")
        print("New Message Received:")
        print("============================")
        print(f"Message ID: {message_id}")
        print(f"Receipt Handle: {receipt_handle}")
        print("Attributes:")
        for key, value in attributes.items():
            print(f"  {key}: {value}")
        print("Body:")
        print(
            json.dumps(json.loads(message_body), indent=4)
            if is_json(message_body) else message_body
        )
        print("============================")

    return {
        "statusCode": 200,
        "body": f"Processed {len(event['Records'])} messages."
    }

def is_json(mystring):
    """Check if a string is valid JSON."""
    try:
        json.loads(mystring)
    except ValueError:
        return False
    return True

Amazon SNS Overview

Amazon SNS (Simple Notification Service) is the go-to push-based messaging service for cloud-native applications.

Key characteristics:

  • Push-based system (server pushes to subscribers)
  • Proactively delivers messages to subscribed endpoints
  • Supports one-to-one or one-to-many delivery
  • Producer sends to SNS Topic → SNS pushes to all subscribers

Key difference from SQS: In SQS, a pulled message is consumed and removed. In SNS, all subscribers receive the same message.

Use cases:

  • Alerting systems
  • Event-driven near real-time workloads

Amazon SNS Topics

FeatureStandard TopicFIFO Topic
Topics per account100,0001,000
Subscriptions12.5 million per topic100 per topic
Message replayNot supportedSupported
ThroughputNearly unlimited300 msg/sec

Supported subscription endpoints:

  • HTTP/HTTPS
  • Email / Email-JSON
  • SQS (most common)
  • Lambda
  • SMS
  • Mobile Push
  • Amazon Kinesis Data Firehose

The most important endpoint types for the exam: SQS and Lambda.

Fanning Out with SNS and SQS

SNS Fanout = multiple subscribers on the same topic; messages sent to multiple endpoints simultaneously.

graph LR
    App[Application\nPrice Update] --> SNS[SNS Topic]
    SNS --> SQS1[SQS Queue\nStore A]
    SNS --> SQS2[SQS Queue\nStore B]
    SNS --> SQS3[SQS Queue\nAnalytics]
    SQS1 --> Worker1[Worker App A]
    SQS2 --> Worker2[Worker App B]
    SQS3 --> Analytics[Analytics Engine]

Benefits:

  • Fully decoupled
  • Parallel processing
  • Asynchronous
  • Each subscriber processes the same message independently

Demo: Sending Notifications through Amazon SNS

Lambda function to restore an S3 object after deletion (triggered via SNS):

import json
import boto3
from botocore.exceptions import ClientError

s3 = boto3.client('s3')

def lambda_handler(event, context):
    try:
        # Parse the SNS message
        sns_message = event['Records'][0]['Sns']['Message']
        s3_event = json.loads(sns_message)

        bucket_name = s3_event['Records'][0]['s3']['bucket']['name']
        object_key = s3_event['Records'][0]['s3']['object']['key']
        object_key = object_key.replace('+', ' ')  # Handle URL-encoded keys

        print(f"Triggered by SNS for bucket: {bucket_name}, object: {object_key}")

        # Find the delete marker
        response = s3.list_object_versions(Bucket=bucket_name, Prefix=object_key)
        delete_markers = response.get('DeleteMarkers', [])

        for marker in delete_markers:
            if marker['Key'] == object_key and marker['IsLatest']:
                delete_marker_version_id = marker['VersionId']
                print(f"Found delete marker: {delete_marker_version_id}")

                # Remove the delete marker to restore the object
                s3.delete_object(
                    Bucket=bucket_name,
                    Key=object_key,
                    VersionId=delete_marker_version_id
                )
                print(f"Delete marker removed. Object {object_key} restored.")
                return {
                    "statusCode": 200,
                    "body": f"Successfully restored {object_key}."
                }

        print(f"No delete marker found for {object_key}")
        return {"statusCode": 404, "body": f"No delete marker found for {object_key}."}

    except ClientError as e:
        print(f"Error restoring object: {e}")
        return {"statusCode": 500, "body": f"Error: {str(e)}"}
    except Exception as e:
        print(f"Unexpected error: {e}")
        return {"statusCode": 500, "body": f"Unexpected error: {str(e)}"}

Architecture:

graph LR
    S3[S3 Bucket\nVersioning enabled] -->|ObjectRemoved event| SNS[SNS Topic]
    SNS --> Email[Ops Team Email\nSubscription]
    SNS --> Lambda[Lambda Function\nRestore Object]
    Lambda -->|Remove delete marker| S3

Module 11 Summary and Exam Tips

Four questions to ask on the exam:

  1. Synchronous or asynchronous processing needed?
  2. Push-based or pull-based messaging?
  3. Does message order matter? → FIFO vs Standard
  4. Are duplicates acceptable? → FIFO vs Standard
ServiceKey Points
SQSPull/poll-based; async; queue; at-least-once (Standard); exactly-once (FIFO)
SNSPush-based; topic; fan-out; one-to-many
SQS StandardUnlimited throughput; possible duplicates; unordered
SQS FIFO300 msg/sec; no duplicates; strict ordering
DLQCapture failed messages; same type as source queue
Long pollingReduces empty API calls; reduces costs
SNS FanoutOne message → multiple SQS queues/Lambda functions

Module 12 – Amazon Kinesis

Amazon Kinesis Overview

Amazon Kinesis allows ingesting, processing, and analyzing real-time and near real-time streaming data and video. It is a pull-based streaming platform.

The four Kinesis offerings:

ServiceUse Case
Kinesis Data StreamsReal-time data streaming (< 1 second latency)
Amazon Data FirehoseNear real-time data loading to destinations
Kinesis Data Analytics for SQLAnalyze streaming data with SQL
Kinesis Video StreamsStream/store live video

Key indicator: Real-time streaming → Data Streams. Near real-time loading → Data Firehose.

Amazon Kinesis Data Streams

Kinesis Data Streams enable real-time streaming data ingestion.

Key concepts:

ConceptDescription
ShardUnit of capacity in a stream; holds sequenced data records
Data RecordUnit of data in a stream; up to 1 MB per record
ProducerApplication pushing data to the stream (constantly streaming)
ConsumerApplication processing data in real time
Retention24 hours default; up to 365 days

Shard limits:

  • Write: 1,000 records/second OR 1 MB/second (either/or)
  • Read: 5 transactions/second OR 2 MB/second (either/or)

Key characteristics:

  • Data is never deleted until retention period expires
  • Guaranteed ordering within a shard
  • Multiple consumers can read the same data
graph LR
    P1[Producer 1\nIoT Device] --> KDS[Kinesis Data Stream]
    P2[Producer 2\nApp] --> KDS
    KDS --> S1[Shard 1]
    KDS --> S2[Shard 2]
    KDS --> S3[Shard 3]
    S1 --> C1[Consumer 1\nReal-time App]
    S2 --> C2[Consumer 2\nLambda]
    S3 --> C3[Consumer 3\nAnalytics]

Kinesis Data Stream Consumers and Producers

Producers use the Kinesis Producer Library (KPL):

  • Simplifies data ingestion
  • Handles aggregation, metric collection (CloudWatch), and retries
  • Perfect for EC2 instances writing thousands of events/second

Consumers use the Kinesis Client Library (KCL):

  • Standalone Java library
  • Simplifies consuming from streams
  • Handles checkpointing, load balancing between consumers
  • Uses DynamoDB for tracking stream position

Data Stream Capacity Modes

ModeDescriptionBest For
On-DemandAutomatically scales shards; scales to gigabytes/minuteVariable/unpredictable traffic
ProvisionedManually set shard count; control costs preciselyPredictable traffic patterns

On-demand pricing: Based on GB of data written and read.

Amazon Data Firehose Overview

Amazon Data Firehose is a fully managed, serverless service for near real-time data loading to destinations.

Key characteristics:

  • Fully managed, automatic scaling
  • Native transformation using Lambda functions
  • Pay only for what you use

Common destinations:

  • Amazon S3 buckets
  • Amazon Redshift tables
  • Amazon OpenSearch Service clusters
  • Third-party providers (Splunk, Datadog, etc.)
graph LR
    IoT[IoT Devices] --> APIGW[API Gateway]
    APIGW --> KDS[Kinesis Data Streams\nReal-time]
    KDS --> KDF[Data Firehose\nNear real-time]
    KDF -->|Transform| Lambda[Lambda]
    Lambda --> KDF
    KDF --> S3[Amazon S3]
    KDF --> RS[Amazon Redshift]
    KDF --> OS[OpenSearch]

Firehose Streams

Three data source types for Firehose:

  1. Direct PUT: Producer writes directly via AWS SDK, CloudWatch, SNS, AWS IoT, Kinesis Agent
  2. Kinesis Data Streams: Use a Data Stream as source; enables real-time → near real-time pipeline
  3. MSK (Managed Streaming for Kafka): Use MSK as source

Amazon Kinesis Data Analytics

Kinesis Data Analytics for SQL Applications processes streaming data using SQL.

  • Reads from Data Streams or Firehose streams
  • Outputs to Data Streams, Firehose, Lambda
  • Supports pre-processing with Lambda
  • Note: This service is being deprecated; may still appear on the exam

Exam tip: “Analyze streaming data with SQL” → Kinesis Data Analytics.

Amazon Kinesis Video Streams

Kinesis Video Streams streams and stores live video from devices to AWS.

Use cases:

  • Real-time video processing
  • Batch video analytics

Exam tip: Need to capture large amounts of live video data globally → Kinesis Video Streams.

Module 12 Summary and Exam Tips

SQS vs SNS vs Kinesis comparison:

SQSSNSKinesis
TypePull-based queuePush-based topicPull-based stream
Real-timeNoNoYes (Data Streams)
OrderingFIFO onlyFIFO onlyYes (within shard)
ReplayNoFIFO onlyYes (retention period)
ComplexitySimpleSimpleComplex (big data)

Kinesis Data Streams retention: Up to 365 days. Data never deleted until retention expires.

Kinesis ServiceKey Indicator
Data StreamsReal-time (< 1 sec); ordered; replay; big data ingestion
Data FirehoseNear real-time; load to S3/Redshift/OpenSearch; serverless
Data AnalyticsSQL against streaming data (being deprecated)
Video StreamsLive video streaming; batch video analytics

Module 13 – Amazon MSK and Amazon MQ

Amazon Managed Streaming for Apache Kafka (MSK)

Amazon MSK is a fully managed service for running data streaming applications that use Apache Kafka.

Exam tip: If you need Apache Kafka → use Amazon MSK.

Key characteristics:

  • Manages control-plane operations (create, update, delete clusters)
  • Deploys across multiple AZs
  • Manages broker nodes and Zookeeper nodes
  • Alternative to Amazon Kinesis (when Kafka-specific requirements exist)

When to use MSK vs Kinesis:

  • New application, no Kafka requirements → Kinesis (simpler)
  • Existing Kafka workloads or Kafka-specific requirements → MSK

MSK key features:

  • MSK Serverless: No capacity planning; AWS manages infrastructure
  • Multi-AZ deployments: High availability
  • Public network access: Deploy nodes in public subnets for direct access
  • Larger message sizes than Kinesis
  • Plain text data support (Kinesis always encrypts in transit)

Amazon MQ

Amazon MQ is a managed message broker service for migrating existing on-premises messaging systems to the cloud.

Supported engine types:

  • Apache ActiveMQ
  • RabbitMQ

Exam tip: If you see ActiveMQ or RabbitMQ → Amazon MQ.

When to use Amazon MQ vs SNS/SQS:

  • Migrating existing applications that use industry-standard protocols (AMQP, STOMP, OpenWire) → Amazon MQ
  • New cloud-native applications → SNS/SQS (simpler, more scalable)

Availability options:

EngineHA Option
ActiveMQActive/Standby (2 nodes in separate AZs; separate maintenance windows)
RabbitMQCluster deployment (3 broker nodes across AZs)

Key limitation: MQ is not as scalable as SNS/SQS because it has actual infrastructure components to manage.

Module 13 Summary and Exam Tips

ServiceWhen to Use
MSKApache Kafka workloads; large message sizes; plain text support
MSK ServerlessKafka without capacity planning
Amazon MQMigrate existing ActiveMQ/RabbitMQ apps to cloud

Comparison:

MSKKinesis
Message sizeLargerUp to 1 MB
EncryptionOptional (plain text ok)Always encrypted in transit
ProtocolKafka topics/partitionsKinesis shards
Use caseKafka-specific workloadsAWS-native streaming

Module 14 – Amazon Step Functions and AWS Batch

AWS Step Functions

AWS Step Functions is a serverless orchestration service for complex, multi-step workflows.

Primary use case: Orchestrating Lambda functions working together in serverless workflows.

Key capabilities:

FeatureDescription
RetriesAutomatically retry failed steps
Parallel executionRun multiple workflows simultaneously
Human approvalPause workflow for human review/approval
Error handlingBuilt-in error handling with catch states
BranchingConditional logic (Choice state)

State types:

StateDescription
TaskExecutes an action (Lambda, ECS, DynamoDB, etc.)
ChoiceConditional branching
WaitPause execution for a duration
ParallelRun branches simultaneously
MapIterate over a collection
PassPass input to output unchanged
Succeed / FailTerminal states
stateDiagram-v2
    [*] --> ValidateOrder
    ValidateOrder --> CheckDiscount: valid
    ValidateOrder --> FailOrder: invalid
    CheckDiscount --> ApplyDiscount: has coupon
    CheckDiscount --> ProcessOrder: no coupon
    ApplyDiscount --> ProcessOrder
    ProcessOrder --> NotifyCustomer
    NotifyCustomer --> [*]
    FailOrder --> [*]

Supported integrations (most common on exam):

  • Lambda functions
  • API Gateway
  • Amazon EventBridge
  • SQS, SNS
  • ECS tasks
  • DynamoDB
  • Glue, Athena

Demo: Orchestrate Workflows Using AWS Step Functions

Architecture:

  • ApplyDiscount Lambda: Checks if coupon code is valid; applies discount
  • ProcessOrder Lambda: Confirms order was processed successfully
  • SQS Queue: Receives processed orders
  • SNS Topic: Sends email notifications

Sample order JSON for testing:

{
  "orderId": "ORD-001",
  "item": "Widget",
  "price": 100.00,
  "couponCode": "SAVE10"
}
{
  "orderId": "ORD-002",
  "item": "Gadget",
  "price": 50.00
}

AWS Batch

AWS Batch is a fully managed batch processing service that runs workloads on EC2 (On-Demand or Spot), ECS containers, or Fargate tasks.

Key characteristics:

  • No time limit (unlike Lambda’s 15 minutes)
  • Automatically provisions required compute
  • Submit jobs on-demand or schedule them
  • No need to install or maintain batch computing software

Key concepts:

ConceptDescription
JobUnit of work (shell script, executable, Docker image)
Job DefinitionSpecifies how jobs run (resources, retry, container)
Job QueueJobs wait here until scheduled to run
Compute EnvironmentEC2, Spot, or Fargate resources running the jobs

Module 14 Summary and Exam Tips

Lambda vs AWS Batch:

LambdaAWS Batch
Max execution time15 minutesNo limit
Disk spaceLimited (512 MB /tmp)Dependent on compute
RuntimeFixed built-in runtimesAny (Docker-based)
Use caseShort event-driven tasksLong-running batch processes
ComputeServerless (no instances)EC2, Spot, Fargate

Exam tip: Long-running batch jobs that exceed 15 minutes → AWS Batch. Short event-driven → Lambda.

Step Functions key points:

  • Serverless workflow orchestration
  • Primarily for Lambda function coordination
  • Supports: retries, parallel execution, human approval, error handling
  • Common integrations: Lambda, API Gateway, EventBridge

Module 15 – Application and Network Caching

Amazon CloudFront Overview

Amazon CloudFront is a CDN (Content Delivery Network) that caches content at edge locations globally.

How it works:

  1. User requests content → nearest edge location checked
  2. Cache Hit: Content returned directly from edge (fast)
  3. Cache Miss: Check regional edge cache → if miss, fetch from origin
  4. Content stored at edge for future requests
graph LR
    User[User\nGlobal] --> EL[Edge Location\nNearest POP]
    EL -->|Cache miss| REC[Regional Edge Cache]
    REC -->|Cache miss| Origin[Origin\nS3 / ALB / API GW]
    Origin --> REC
    REC --> EL
    EL --> User

Key features:

  • Integrates with AWS Shield for DDoS protection
  • Integrates with AWS WAF for application firewall
  • Supports HTTPS and custom domain names with ACM certificates
  • Reduces latency for global users

Amazon CloudFront Origins

Origin: The source location where CloudFront fetches content.

Common origins:

  • Amazon S3 buckets (static content, websites)
  • Application Load Balancers
  • API Gateway
  • VPC Origins (EC2, EIPs)
  • Custom HTTP endpoints

Distribution: CloudFront configuration defining:

  • Origin server
  • Cache behaviors
  • Security settings (HTTPS, OAC)
  • Geographic restrictions
  • Logging

Amazon CloudFront Security

Origin Access Control (OAC) – recommended approach to secure S3 origins:

  • Not an IAM role or user; a CloudFront-specific entity
  • Use S3 bucket policies to authorize access for the CloudFront distribution
  • Supports both GET and PUT operations

Origin Access Identity (OAI) – legacy approach:

  • Still supported; may appear on exam
  • Only for GET operations
  • Being replaced by OAC

Example S3 bucket policy for OAC:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudfront.amazonaws.com"
      },
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringEquals": {
          "AWS:SourceArn": "arn:aws:cloudfront::ACCOUNT:distribution/DISTRIBUTION_ID"
        }
      }
    }
  ]
}

Other security features:

  • Geo-restrictions: Block/allow specific countries
  • Signed URLs: Restrict access to specific files
  • Signed Cookies: Restrict access to multiple files
  • AWS WAF: Web Application Firewall integration
  • AWS Shield: Standard (automatic) and Advanced DDoS protection

CloudFront Custom Domain Names and TLS

Default domain: xxxxx.cloudfront.net (supports HTTPS by default)

Custom domain + HTTPS requirements:

  • Request certificate in AWS Certificate Manager (ACM)
  • ACM certificate MUST be in us-east-1 (regardless of CloudFront distribution region)
  • Create custom domain name in CloudFront → assign ACM certificate
  • Create Route 53 alias record pointing to the CloudFront distribution

Viewer Protocol Policy options:

  • HTTP and HTTPS
  • Redirect HTTP to HTTPS (recommended)
  • HTTPS only

Demo: Setting up an S3 Bucket Origin in CloudFront

Steps:

  1. Create an S3 bucket and upload content (e.g., image.png)
  2. Create a CloudFront distribution → select S3 bucket as origin
  3. Create an OAC (Origin Access Control)
  4. CloudFront auto-generates a bucket policy – apply it to S3
  5. Configure custom domain in Route 53 (alias record)
  6. Test access via both CloudFront URL and custom domain

CloudFront origin types for the exam:

  • S3 – static assets
  • ELB – dynamic applications
  • API Gateway – API-fronted applications
  • VPC – EC2 instances and Elastic IPs

CloudFront Functions and Lambda@Edge Functions

Both are edge functions that execute custom logic close to end users.

Request/response flow phases:

graph LR
    VReq[Viewer Request] --> CF[CloudFront]
    CF --> OReq[Origin Request]
    OReq --> Origin[Origin Server]
    Origin --> OResp[Origin Response]
    OResp --> CF
    CF --> VResp[Viewer Response]
    VResp --> Viewer[Viewer/User]

Comparison:

FeatureCloudFront FunctionsLambda@Edge
RuntimeJavaScript onlyNode.js, Python
Execution time< 1 ms5-30 seconds
ScaleMillions req/secThousands req/sec
PhasesViewer Request/Response onlyAll 4 phases
Memory2 MB128 MB - 10 GB
CostVery lowHigher
Use caseHigh-scale CDN customizationComplex processing at edge

Common CloudFront Function use cases:

  • URL rewrites/redirects
  • Add/modify HTTP headers
  • A/B testing (weighted traffic)
  • JWT token validation (simple)

Common Lambda@Edge use cases:

  • Dynamic content generation
  • Server-side rendering
  • Complex authentication/authorization
  • Database queries at the edge

AWS Global Accelerator

AWS Global Accelerator routes traffic through AWS’s global network infrastructure using anycast IP addresses.

Key characteristics:

  • Provides 2 static anycast IP addresses for global endpoints
  • Routes traffic via edge locations → AWS global network → endpoints
  • Primarily for TCP or UDP traffic (Layer 4 focus – NOT HTTP like CloudFront)
  • Supports static IP for whitelisting/firewalls

Global Accelerator vs CloudFront:

CloudFrontGlobal Accelerator
ProtocolHTTP/HTTPS (Layer 7)TCP/UDP (Layer 4)
CachingYesNo
Static IPsNoYes (2 anycast IPs)
Use caseWeb content, APIsGaming, IoT, VoIP, multi-region failover
Failover controlLimitedFine-grained

Supported endpoints:

  • Elastic IP addresses
  • Application Load Balancers
  • Network Load Balancers
  • EC2 instances

AWS Global Accelerator Security and Health Checks

Health checks:

  • Automatically checks configured endpoints
  • Routes traffic only to healthy endpoints
  • Uses Route 53 health checker data
  • Customizable: protocol, port, timeout, interval

Security:

  • DDoS protection via AWS Shield Standard (automatic)
  • ALBs, NLBs, EC2 endpoints behind Global Accelerator do not need to be internet-facing directly
  • Traffic from health checkers must be allowed in security groups and NACLs

Amazon ElastiCache

Amazon ElastiCache is a managed, distributed in-memory caching service for applications.

Supported engines:

  • Memcached: Simple, multi-threaded, no persistence
  • Redis: Rich data structures, persistence, pub/sub, replication
  • Valkey: Redis-compatible open-source fork

Key characteristics:

  • For heavy, repeated read requests
  • Reduces database load
  • Requires code changes to implement (not a drop-in solution)
  • Access controlled via security groups

Use cases:

Use CaseDescription
Database query cachingCache frequently accessed query results
Session storageStore user sessions in distributed web apps
API response cachingCache common API responses
LeaderboardsReal-time scoring with Redis sorted sets

Redis vs Memcached:

RedisMemcached
PersistenceYesNo
ReplicationYes (multi-AZ)No
Data structuresRich (lists, sets, hashes, sorted sets)Simple key-value
Pub/SubYesNo
Use caseSession store, leaderboards, complex dataSimple caching

Exam tip: ElastiCache requires code changes. If the exam says “no code changes required” → ElastiCache is NOT the answer.

Module 15 Summary and Exam Tips

Four questions to ask:

  1. Can the content be cached? What type of cache is needed?
  2. Application caching or network caching?
  3. How is content updated/retrieved? Static IPs needed?
  4. Any security requirements? (WAF, Shield, OAC)
ServiceWhen to Use
CloudFrontCache HTTP/HTTPS content globally; reduce latency
Global AcceleratorTCP/UDP; static IPs; multi-region failover
ElastiCacheApplication-level caching; reduce DB load

CloudFront key exam points:

  • OAC/OAI for S3 origin security
  • ACM certs must be in us-east-1 for CloudFront
  • Geo-restrictions, WAF, Shield integration
  • CloudFront Functions (lightweight JS) vs Lambda@Edge (complex logic, all phases)

Module 16 – Miscellaneous Services

Amazon Pinpoint

Amazon Pinpoint enables customer engagement through multiple messaging channels.

Primary audiences:

  • Marketing teams
  • Business users sending targeted communications

Messaging channels:

  • Email
  • SMS (send and receive)
  • Push notifications
  • Voice messages
  • In-app messaging

Exam indicators:

  • Marketing campaigns
  • User engagement tracking
  • Sending emails to targeted audiences
  • SMS with reply tracking
graph LR
    App[Your Application] --> PP[Amazon Pinpoint]
    PP --> Email[Email campaigns]
    PP --> SMS[SMS with replies]
    PP --> Push[Mobile push notifications]
    PP --> S3[Store responses\nin S3]

AWS Amplify

AWS Amplify provides tools and libraries for front-end web and mobile developers to build full-stack applications.

What Amplify provides:

  • Plug-and-play front-end libraries and UI components
  • Back-end building services (no infrastructure management)
  • Front-end hosting
  • Built-in authentication and authorization

Amplify Hosting:

  • Git-based workflow for continuous deployment
  • Supports: React, Angular, Vue, Next.js, Gatsby, Hugo, and more
  • Supports server-side rendering (SSR) – not possible with S3 static hosting

Exam tip: Simplified full-stack development for less-experienced teams, especially when server-side rendering is needed → AWS Amplify.

Supported frameworks:

  • Next.js (SSR)
  • Nuxt.js
  • SvelteKit
  • React
  • Vue
  • Angular

AWS Device Farm

AWS Device Farm is a service for testing Android, iOS, and web applications on real devices hosted by AWS.

Two testing methods:

MethodDescription
AutomatedUpload test scripts; run parallel tests on multiple devices
Remote AccessRemotely access real devices via browser; swipe, gesture, interact manually

Exam indicators:

  • App testing on mobile devices in AWS
  • Automated testing requiring actual phones/tablets
  • Testing Android, iOS, or mobile web browsers

AWS Wavelength

AWS Wavelength deploys compute and storage to the edge of 5G cellular carrier networks for ultra-low latency to mobile devices.

How it works:

  • Extends VPCs into Wavelength Zones (carrier-specific edge zones)
  • Deploys standard EC2, ECS, etc. at carrier edge
  • Examples: Verizon, Vodafone

Exam indicators:

  • 5G networking requirements
  • Ultra-low latency to mobile/edge devices
  • Cellular carrier-specific deployments

Do not confuse with: Local Zones (which are for data sovereignty/regulatory requirements or proximity to specific cities).

Amazon AppFlow

Amazon AppFlow provides fully managed integration for securely exchanging data between SaaS applications and AWS services.

Key characteristics:

  • No-code/low-code data integration
  • Supports most common SaaS providers
  • Schedule, event-based, or on-demand triggers

Supported sources:

  • Salesforce
  • Zendesk
  • ServiceNow
  • SAP
  • Google Analytics
  • Many more

Supported destinations:

  • Amazon S3
  • Amazon Redshift
  • Other SaaS services

Trigger options:

  • Scheduled (recurring)
  • Event-based (EventBridge)
  • On-demand (one-time)
graph LR
    Salesforce[Salesforce] --> AF[Amazon AppFlow]
    Zendesk[Zendesk] --> AF
    ServiceNow[ServiceNow] --> AF
    AF --> S3[Amazon S3]
    AF --> RS[Amazon Redshift]
    AF --> Other[Other SaaS]

Amazon Simple Email Service (SES)

Amazon SES is a cost-effective email platform for sending and receiving emails at scale.

Key features:

  • Use your own email addresses and domains
  • DKIM support (key exam indicator for email)
  • Send from: EC2, on-premises VMs, ECS containers, Lambda functions (via API call)
  • Statistics: bounces, complaints, successful deliveries

Exam indicators:

  • Email delivery at scale
  • DKIM requirements
  • Reducing complex email delivery issues with minimal operational overhead

SES vs Pinpoint for email: If you see “targeted audiences” or “marketing campaigns” → Pinpoint. If you see “email delivery infrastructure” or “DKIM” → SES.

Module 16 Summary and Exam Tips

ServiceKey Indicators
PinpointMarketing campaigns, user engagement tracking, targeted audiences, SMS replies
AmplifyFull-stack serverless web apps, server-side rendering, continuous deployment
Device FarmMobile app testing on real devices hosted by AWS
Wavelength5G cellular network edge computing
AppFlowSaaS ↔ AWS data transfer (Salesforce, Zendesk, ServiceNow)
SESLarge-scale email sending/receiving, DKIM support

Quick Reference: Service Decision Trees

Load Balancer Selection

graph TD
    Need[Load Balancer Needed?] --> Layer7{HTTP/HTTPS\nrequired?}
    Layer7 -->|Yes| ALB[Application Load Balancer\nLayer 7]
    Layer7 -->|No| Static{Static IP\nor high performance?}
    Static -->|Static IP needed| NLB[Network Load Balancer\nLayer 4]
    Static -->|Security appliance| GWLB[Gateway Load Balancer\nLayer 3 / GENEVE]

Decoupling Pattern Selection

graph TD
    Decouple[Need to Decouple?] --> RT{Real-time\nstreaming?}
    RT -->|Yes| Kinesis[Amazon Kinesis\nData Streams]
    RT -->|No| Push{Push or Pull\nbased?}
    Push -->|Push| SNS[Amazon SNS]
    Push -->|Pull| FIFO{Order/No\nduplicates?}
    FIFO -->|Yes| SQSF[SQS FIFO Queue]
    FIFO -->|No| SQSS[SQS Standard Queue]
    Push -->|Apache Kafka| MSK[Amazon MSK]
    Push -->|ActiveMQ/RabbitMQ| MQ[Amazon MQ]

Compute Service Selection

graph TD
    Compute[Choose Compute Service] --> Duration{Execution\ntime < 15 min?}
    Duration -->|Yes| Servers{Need servers?}
    Duration -->|No| Batch[AWS Batch]
    Servers -->|No| Lambda[AWS Lambda]
    Servers -->|Yes| Container{Container\nworkload?}
    Container -->|Yes| Kubernetes{Kubernetes\nrequired?}
    Container -->|No| BeanOrEC2{Full managed\nPaaS?}
    Kubernetes -->|Yes| EKS[Amazon EKS]
    Kubernetes -->|No| ECS[Amazon ECS]
    BeanOrEC2 -->|Yes| Beanstalk[Elastic Beanstalk]
    BeanOrEC2 -->|No| EC2[Amazon EC2]

Caching Selection

graph TD
    Cache[Caching Needed?] --> Type{Application\nor Network?}
    Type -->|Application| ElastiCache[Amazon ElastiCache\nRedis/Memcached]
    Type -->|Network| Protocol{TCP/UDP\nor HTTP?}
    Protocol -->|HTTP/HTTPS| CloudFront[Amazon CloudFront]
    Protocol -->|TCP/UDP| GA[AWS Global Accelerator]

Search Terms

aws · certified · architect · associate · saa-c03 · scaling · decoupling · architectures · core · services · amazon · web · exam · load · elastic · lambda · gateway · service · api · auto · cloudformation · sqs · cloudfront · data

Interested in this course?

Contact us to book it or get a custom training plan for your team.