✦
What's New & Updated in This Guide
Review Applied — June 2026
🆕 Topics Added (Total: 20+)
From previous reviews: Auto Scaling Lifecycle Hooks · ECS Network Modes · ECS Task Placement · EBS Multi-Attach · S3 Access Points · S3 VPC Endpoints · S3 Event Notifications · S3 Object Lambda · CloudFront OAC · DLM · Lambda Runtime EOL · Cost Allocation Tags · S3 Glacier Vault Lock · API Gateway + Lambda
From this review: AWS Artifact · AWS CAF (6 Perspectives) · DynamoDB Global Tables · AWS SDK · AWS Credits Billing Order
From this review: AWS Artifact · AWS CAF (6 Perspectives) · DynamoDB Global Tables · AWS SDK · AWS Credits Billing Order
⚠️ Corrected Content
Developer Support: Still active — corrected from "discontinued" to "scheduled EOL Jan 2027." Existing customers still have it; new subscriptions blocked Dec 2025. Legacy table now added.
CloudFront OAI: Flagged as deprecated — OAC is the standard
Lambda Node.js: Sample in document used old Node.js — Node 16/18 are EOL; Node 24 is current (Nov 2025)
io2 volumes: All io2 are now Block Express (April 2025) with NVMe fencing
CloudFront OAI: Flagged as deprecated — OAC is the standard
Lambda Node.js: Sample in document used old Node.js — Node 16/18 are EOL; Node 24 is current (Nov 2025)
io2 volumes: All io2 are now Block Express (April 2025) with NVMe fencing
❌ Outdated Patterns to Know
CloudWatch Events rules for lifecycle hooks → now EventBridge
OAI (Origin Access Identity) → deprecated, use OAC
Node.js runtime in examples → upgrade to Node 22/24
io1 Multi-Attach regional limit → io2 now global
OAI (Origin Access Identity) → deprecated, use OAC
Node.js runtime in examples → upgrade to Node 22/24
io1 Multi-Attach regional limit → io2 now global
✅ Verified Still Accurate
ECS 4 networking modes · ECS placement strategies · S3 VPC gateway endpoint · S3 Event destinations (SNS/SQS/Lambda) · Glacier Vault Lock 2-step process · DLM policy structure · API Gateway integration types (AWS vs AWS_PROXY) · EBS Multi-Attach limits (16 instances, same AZ, io1/io2 only)
Domain 1 — Cloud Concepts
Benefits of cloud, AWS global infrastructure, Well-Architected Framework, design principles
24% of Exam
Well-Architected Framework — 6 Pillars
PILLAR 01
Operational Excellence
Run and monitor systems to deliver business value; continuously improve processes and procedures. Focus on automation and reversible changes.
CloudFormationCloudWatchSystems ManagerX-Ray
PILLAR 02
Security
Protect data, systems, and assets. Implement least privilege, enable traceability, and apply security at all layers.
IAMKMSShieldWAFGuardDutyCloudTrail
PILLAR 03
Reliability
Recover from failures, dynamically acquire resources to meet demand, and mitigate misconfigurations or transient issues.
Multi-AZAuto ScalingRoute 53BackupsCloudWatch
PILLAR 04
Performance Efficiency
Use computing resources efficiently to meet requirements; maintain efficiency as demand changes and technologies evolve.
LambdaCloudFrontAuto ScalingElastiCache
PILLAR 05
Cost Optimization
Avoid unnecessary costs. Match supply with demand, use managed services, and select the right pricing model.
Cost ExplorerTrusted AdvisorSpot InstancesSavings Plans
PILLAR 06
Sustainability
Minimise the environmental impact of running cloud workloads by maximising resource utilisation and adopting efficient hardware.
EC2 Auto ScalingServerlessManaged Services
🆕 New at re:Invent 2025 — Well-Architected Lenses for AI
The six core pillars are unchanged, but AWS added a Responsible AI Lens (brand new) plus updated Machine Learning Lens and Generative AI Lens. These sit on top of the six pillars and provide specific guidance for AI workloads, covering governance, bias mitigation, RAG architecture, and agentic AI design. Exam tip: know the 6 pillars cold; understand that lenses are domain-specific overlays, not replacements for the pillars.
📐 Design Principles (Cloud Architecture Best Practices)
Scale Horizontally
Add more instances (out) vs bigger instances (up). Horizontal preferred for resilience.
Loose Coupling
Reduce interdependencies. Use SQS, SNS, EventBridge to decouple components.
Services, Not Servers
Use managed services (RDS, Lambda) instead of managing EC2 for every workload.
Design for Failure
Assume everything fails. Multi-AZ, backups, health checks, auto-recovery.
Infrastructure as Code
CloudFormation, CDK. Reusable, testable, version-controlled infrastructure.
Game Days
Regularly simulate failures. AWS Fault Injection Simulator (FIS) is the key service.
AWS Cloud Adoption Framework (AWS CAF)
AWS CAF — 6 Perspectives
AWS CAF uses AWS experience and best practices to help organisations digitally transform and accelerate business outcomes. It groups capabilities into six perspectives. Each perspective addresses a different aspect of cloud adoption.
💼 Business
Ensures IT aligns with business needs. Cloud investments link to business outcomes. Key stakeholders: CEO, CFO, COO, CIO, CTO.
👥 People
Organisational change management. Ensures staff have skills, culture, and structure for cloud. Key stakeholders: CIO, COO, CTO, HR.
⚖️ Governance
Orchestrates cloud initiatives, maximises benefits, minimises risks. Key stakeholders: CIO, CFO, CTO, CDO, CRO, Chief Transformation Officer.
🏗️ Platform
Accelerates delivery of cloud workloads. Build scalable hybrid cloud platform. Key stakeholders: CTO, architects, engineers.
🔐 Security
Achieves CIA (Confidentiality, Integrity, Availability) of data and workloads. Key stakeholders: CISO, security architects, internal audit.
⚙️ Operations
Ensures cloud services are delivered at the level agreed with business stakeholders. Key stakeholders: infrastructure leaders, SREs, IT service managers.
💡 Exam Tips — AWS CAF
Memorise the 6 CAF perspectives: B-P-G-P-S-O (Business, People, Governance, Platform, Security, Operations). CAF is about cloud readiness and transformation, not architecture design (that's the Well-Architected Framework). "Organise teams around products and value streams + use agile methods" = aligns with CAF's Business and People perspectives for becoming customer-responsive. CAF ≠ Well-Architected Framework: CAF is a migration/transformation readiness framework; WAF is a design/build framework.
AWS Global Infrastructure Updated 2026
⚠️ Updated Figures — June 2026
Current infrastructure: 37 Regions, 121 Availability Zones (as of June 2026). New regions recently added include Mexico (Central), Asia Pacific (Thailand), Asia Pacific (Malaysia). A Chile Region (3 AZs) and a new Maryland AZ for us-east-1 are both planned for late 2026. Numbers change often — always verify at
🆕 AZ mapping change (Nov 2025): For accounts created from November 2025 onwards, AWS now maps AZ codes to the same physical location across all accounts (e.g.
aws.amazon.com/about-aws/global-infrastructure.🆕 AZ mapping change (Nov 2025): For accounts created from November 2025 onwards, AWS now maps AZ codes to the same physical location across all accounts (e.g.
us-east-1a is the same physical AZ for everyone). Older accounts still have independently mapped AZ codes.Largest Scope
AWS Region
e.g. us-east-1, ap-southeast-1 (Singapore) · 37 Regions worldwide · Minimum 3 AZs per Region · Data stays in-Region unless you configure otherwise
Within Region
Availability Zone (AZ)
1+ discrete data centres · 121 total AZs (June 2026) · e.g. us-east-1a, us-east-1b · Physically separated by meaningful distance · Connected by low-latency redundant fibre
Edge Caching
Edge Locations / Points of Presence
400+ PoPs worldwide · Used by CloudFront (CDN) and Route 53 (DNS) · NOT the same as AZs · More PoPs than Regions
Ultra-Low Latency
Local Zones
AWS infra closer to major cities. Ultra-low latency for specific populations.
5G / Mobile
Wavelength Zones
AWS compute inside telecom 5G networks. <10ms latency for mobile apps.
On-Premises
AWS Outposts
AWS rack in your own datacenter. Same APIs, same tools. Hybrid cloud.
Domain 2 — Security & Compliance
Shared responsibility, IAM, encryption, threat detection, compliance tools
30% of Exam
Shared Responsibility Model
AWS Responsibility
Security "OF" the Cloud
Physical data centres, hardware, networking
Hypervisor and host OS
Global infrastructure (Regions, AZs, Edge)
Managed service infrastructure (RDS engine patching, S3 durability)
Physical and environmental controls
Customer Responsibility
Security "IN" the Cloud
IAM users, roles, policies — who has access
Data encryption (at rest and in transit)
Guest OS patching on EC2 instances
Network config — Security Groups, NACLs
Application-level security and code
Client-side and server-side encryption
💡 Exam Tip — Most tested concept in Domain 2
The more managed a service is, the more AWS takes on. EC2 = you patch the OS. RDS = AWS patches the database engine. Lambda = AWS manages everything under your code. For abstract services (S3, DynamoDB), customer only manages data and permissions.
▼
Core Concepts
Users — Individual identities. Never use root for daily work.
Groups — Collections of users sharing permissions
Roles — Temporary permissions for services (EC2, Lambda accessing S3)
Policies — JSON documents defining Allow/Deny. Attached to users, groups, or roles.
Least Privilege — Grant only the minimum permissions needed
MFA — Strongly recommended on root + all admin users
💡 Exam Tips
IAM is GLOBAL (not region-specific). Root account = never use for daily tasks. Services use Roles, not users. Policies can be inline (attached to one entity) or managed (reusable). SCPs (in AWS Organizations) override IAM policies.
▼
Key Concepts
Management Account — Root account that owns the org. Creates and manages all member accounts.
OUs (Org Units) — Folder-like groups of accounts with shared policies
SCPs — Service Control Policies. Guardrails restricting what member accounts can do. Override IAM.
Consolidated Billing — Single bill for all accounts. Volume discounts across the org.
💡 Exam Tips
SCPs are the highest-level guardrail — even an admin with full IAM permissions can be blocked by an SCP. Use to prevent: leaving the org, using specific services, or deploying to wrong regions.
▼
Key Concepts
FIPS 140-2 validated hardware security modules
Integrates with S3, EBS, RDS, DynamoDB, Lambda, Secrets Manager
All key usage logged in CloudTrail
CloudHSM — Dedicated single-tenant HSM hardware for highest compliance needs. You manage the keys.
💡 Exam Tips
KMS = AWS-managed key service, multi-tenant. CloudHSM = dedicated physical hardware, you control everything. "Manage encryption keys" → KMS. "Dedicated hardware + full key control" → CloudHSM.
▼
Key Concepts
Logs all API calls: Console clicks, CLI, SDK, automated services
90-day event history by default; create a Trail for longer retention in S3
Critical for: "Who deleted that resource?", "Who changed this policy?"
Can stream to CloudWatch Logs for real-time alerting
💡 Exam Tips
CloudTrail = WHO did WHAT (audit trail). CloudWatch = performance metrics and logs. This pair is the most commonly confused on the exam. CloudTrail answers governance questions; CloudWatch answers operational questions.
▼
Two Tiers
Shield Standard — Free, automatic for all AWS customers. Protects against common Layer 3/4 attacks.
Shield Advanced — Paid (~$3,000/mo). Enhanced protection for EC2, ELB, CloudFront, Route 53. 24/7 DDoS Response Team (DRT) access. Financial protection against DDoS scaling costs.
💡 Exam Tips
Shield = DDoS (Layer 3/4 volumetric attacks). WAF = application-layer attacks (SQL injection, XSS — Layer 7). They work together: Shield stops the flood, WAF filters bad HTTP requests.
▼
Key Concepts
Blocks SQL injection, XSS, bad bots, known malicious IPs
Works with CloudFront, ALB, API Gateway, AppSync
AWS Managed Rules: pre-built OWASP Top 10 and bot protection
Custom rules based on IP, headers, body, URI path
💡 Exam Tips
WAF = Layer 7 (HTTP/HTTPS) attack protection. Shield = Layer 3/4 (volumetric flood). Security Groups = Layer 4 (port/IP rules). These are three different layers of defence — often tested together.
▼
Key Concepts
Analyses CloudTrail logs, VPC Flow Logs, DNS logs — no agents to install
Detects: compromised EC2, unusual API calls, crypto-mining, recon activity
Generates findings; can auto-trigger Lambda for remediation
DETECTS threats — does not prevent them
💡 Exam Tips
GuardDuty = passive threat detection using ML. One-click enable, no infrastructure. Inspector = vulnerability scanning of your EC2/containers. Macie = sensitive data discovery in S3. These three are "detective" services — they find problems, not block them.
▼
Key Concepts
Continuously scans for CVEs in OS packages and application libraries
Covers EC2 instances, ECR container images, and Lambda functions
Severity scores + remediation guidance in findings
💡 Exam Tips
"Scan workloads for known vulnerabilities (CVEs)" = Inspector. "Detect suspicious behaviour at runtime" = GuardDuty. "Find sensitive data in S3" = Macie. All three are detection/scanning tools but serve distinct purposes.
▼
Key Concepts
Detects PII, financial data, credentials, API keys in S3 objects
Alerts on: public buckets, unencrypted data, unusual access patterns
💡 Exam Tips
"Find PII or sensitive data in S3" = Macie. S3 is the only storage service Macie scans. It uses ML — you don't write any rules.
▼
Key Concepts
Automatic rotation — Rotates RDS passwords and API keys on a schedule without code changes
vs SSM Parameter Store — Parameter Store: simpler, cheaper, good for config. Secrets Manager: rotation built in, designed for secrets lifecycle.
💡 Exam Tips
"Automatically rotate database credentials" = Secrets Manager. "Store config values and simple secrets cheaply" = SSM Parameter Store. The rotation capability is the key differentiator.
▼
Key Concepts
Records full configuration history of every AWS resource
Config Rules — Define the desired state; alerts when resources drift (e.g. "S3 must not be public")
CloudTrail = who did it; Config = what changed on the resource
💡 Exam Tips
"Detect when a resource is non-compliant" or "track resource configuration changes over time" = AWS Config. Not CloudTrail (which tracks API calls/user actions).
▼
Key Concepts
Aggregates findings from GuardDuty, Inspector, Macie, Config, and third-party tools
Runs automated CIS, PCI-DSS, AWS best practice compliance checks
Single pane of glass — does not detect threats itself; aggregates from others
💡 Exam Tips
Security Hub = centralise + prioritise findings from multiple security services. If the question says "single view of all security findings" — Security Hub.
▼
What It Does
A no-cost, self-service portal that gives you on-demand access to AWS security and compliance reports plus select agreements. It is not a service you build on — it is a documentation portal for compliance evidence.
Reports Available
SOC 1, 2, 3 — System and Organisation Controls reports (188 services as of Spring 2026). SOC 1 issued quarterly; SOC 2/3 twice per year.
PCI DSS — Payment Card Industry reports
ISO certifications — ISO 27001, 27017, 27018, 9001
FedRAMP, HIPAA, GDPR — Compliance programme documentation
OSCAL format (new 2026) — SOC 1 & 2 reports now available in machine-readable JSON (NIST OSCAL) for compliance automation pipelines.
Agreements Available
BAA (Business Associate Addendum) — Required for HIPAA-compliant workloads handling PHI
NDA (Non-Disclosure Agreement)
🆕 New Feature: Historical Report Versions (Dec 2025)
AWS Artifact now lets you access previous versions of compliance reports (SOC, ISO, C5) directly — no longer requires contacting AWS Support. Requires the
artifact:ListReportVersions IAM permission. Useful for audits that require multi-year historical evidence.💡 Exam Tips
AWS Artifact = compliance report downloads + agreements (BAA/NDA). It is free and self-service. "Where do you get AWS SOC or PCI compliance reports?" = AWS Artifact. "HIPAA compliance BAA" = also found in AWS Artifact. Commonly confused with Trusted Advisor (best practice recommendations) and AWS Config (resource compliance) — those are different services.
Domain 3 — Cloud Technology & Services
Compute, storage, databases, networking, AI/ML, migration, integration
34% of Exam
▼
Pricing Models (must memorise)
On-Demand — Pay by second/hour. No commitment. Best for unpredictable workloads.
Reserved — 1 or 3-year commitment. Up to 72% savings. Best for steady, predictable workloads.
Spot — Up to 90% discount. AWS can reclaim with 2-min warning. Best for fault-tolerant, stateless jobs.
Dedicated Host — Physical server for you alone. For licensing compliance (Oracle, SQL Server).
Savings Plans — Commit to $/hr spend for 1-3 years. Applies to EC2 + Lambda + Fargate. More flexible than RIs.
Key Concepts
AMI — Amazon Machine Image. The template/OS used to launch an instance.
Security Groups — Stateful firewall. Allow rules only. Instance-level.
Instance types — t3/m5 (General), c5 (Compute), r5 (Memory), i3 (Storage), p3 (GPU)
💡 Exam Tips
Know all 5 pricing options cold. Spot = cheapest + interruptible. Reserved = best long-term discount. Dedicated Host = compliance/licensing. Savings Plans = most flexible commitment-based pricing.
▼
Key Concepts
No servers to provision. AWS manages all infrastructure.
Triggers — API Gateway, S3, DynamoDB, SNS, SQS, EventBridge, CloudWatch
Pricing — Per request + per GB-second of execution. 1M free requests/month always-free tier.
Max timeout — 15 minutes per execution
Runtimes: Python, Node.js, Java, Go, .NET, Ruby, custom (container image)
💡 Exam Tips
Lambda = serverless + event-driven + pay-per-use. "No servers to manage" + "runs when triggered" = Lambda. Ideal for APIs, file processing, scheduled tasks, event-driven pipelines.
▼
Key Concepts
Horizontal scaling — Add/remove instances (scale OUT/IN). Different from vertical (bigger instance).
Min / Desired / Max — Defines the bounds and target size of the group
Pairs with ELB to distribute traffic across healthy instances
Elasticity = the cloud advantage. Scale UP and DOWN automatically.
💡 Exam Tips
Auto Scaling + ELB = the classic HA/elasticity pair. Auto Scaling ensures right-sized capacity; ELB distributes traffic. Together they handle both performance and fault tolerance.
▼
Service Comparison
ECS — AWS-native container orchestration. Run with EC2 (you manage servers) or Fargate (serverless).
EKS — Managed Kubernetes. Bring your own K8s workloads. More complex, industry-standard.
Fargate — Serverless compute engine for containers. No EC2 to provision. Works with both ECS and EKS.
💡 Exam Tips
Fargate = serverless containers (no EC2 management). ECS = AWS-native container service. EKS = Kubernetes. "No EC2 + containers" = Fargate. "Kubernetes on AWS" = EKS.
▼
Storage Classes (cost: high → low)
S3 Standard — Frequent access. Low latency.
S3 Standard-IA — Infrequent access. Lower storage cost + retrieval fee.
S3 One Zone-IA — Single AZ. Cheapest IA. For non-critical, re-creatable data.
Intelligent-Tiering — Auto-moves data between tiers based on access patterns.
Glacier Instant — Archive with millisecond retrieval.
Glacier Flexible — Archive. Retrieval in minutes to hours.
Glacier Deep Archive — Cheapest. Retrieval 12+ hours. Long-term compliance archives.
💡 Exam Tips
S3 is OBJECT storage (not block/file). Buckets are region-specific; service is global. Glacier = long-term archive/compliance. Object size: up to 5TB. "Static website hosting" = S3. Know all 7 storage classes and when to use each.
▼
Key Concepts
Like a hard drive — attached to ONE EC2 instance in ONE AZ
Data persists when instance is stopped (unlike Instance Store)
Snapshots — Point-in-time backups stored in S3. Can copy across regions.
Types — gp3 (general SSD), io2 (high IOPS), st1 (throughput HDD), sc1 (cold HDD)
💡 Exam Tips
EBS = ONE EC2 + ONE AZ. EFS = MULTIPLE EC2s across MULTIPLE AZs. S3 = any client anywhere. Instance Store = fast but ephemeral (data lost on stop/terminate).
▼
Key Concepts
NFS-based. Multiple EC2 instances mount the same filesystem simultaneously.
Multi-AZ access. Auto-scales as files are added/removed.
Linux only (POSIX). ~3× more expensive than EBS per GB.
💡 Exam Tips
"Multiple EC2 instances share the same filesystem" = EFS. Windows file shares use FSx for Windows File Server instead.
▼
Devices
Snowcone — Smallest (8–14TB). Portable, rugged. Edge computing + data collection.
Snowball Edge — 80–210TB. Most common. Storage or Compute optimised.
Snowmobile — Exabyte scale (100PB per truck). Literal shipping container on a semi-truck.
💡 Exam Tips
Rule: if migration over internet would take more than ~1 week → use Snowball. Snowmobile = moving an entire datacenter worth of data. All devices are encrypted end-to-end.
▼
Key Concepts
Multi-AZ — Standby in another AZ. Automatic failover. → HIGH AVAILABILITY
Read Replicas — Read-only copies to scale reads. Up to 5. Can promote to standalone. → PERFORMANCE
Automated backups — Point-in-time recovery up to 35 days.
AWS manages: patching, backups, hardware. You manage: schema, queries, access.
💡 Exam Tips
Multi-AZ = HA + automatic failover (synchronous replication). Read Replicas = read performance scaling (asynchronous replication). These are NOT the same — it's the most common RDS confusion on the exam.
▼
Key Concepts
MySQL and PostgreSQL compatible. AWS's own cloud-native database engine.
Auto-replicates 6 copies across 3 AZs. Storage scales 10GB → 128TB automatically.
Aurora Serverless — Auto-scales to zero when idle. Pay per second. Great for variable workloads.
Up to 15 read replicas (vs 5 for standard RDS).
💡 Exam Tips
Aurora = the premium, highest-performance RDS option. Aurora Serverless = scales to zero (pay only when active). Best for: unpredictable workloads, dev/test environments, and infrequently used databases.
▼
Key Concepts
Fully managed, serverless NoSQL. No schema. Handles millions of req/sec.
DAX (DynamoDB Accelerator) — In-memory cache for DynamoDB. Microsecond latency.
Global Tables — Multi-region, active-active replication for global low-latency access.
Key-value and document data model.
💡 Exam Tips
DynamoDB = NoSQL, serverless, millisecond latency, massive scale. RDS = relational SQL. "Key-value", "no SQL", "serverless database", "millisecond at any scale" → DynamoDB.
▼
Redis vs Memcached
Redis — Persistence, pub/sub, sorted sets, multi-AZ, richer data types. Better for complex use cases.
Memcached — Simple, multi-threaded. Pure caching. No persistence.
💡 Exam Tips
"Reduce database read latency" or "cache frequently accessed data" or "session store" = ElastiCache. DynamoDB DAX is ElastiCache specifically for DynamoDB. ElastiCache works with RDS.
▼
Key Components
Public Subnet — Has internet access via Internet Gateway (IGW)
Private Subnet — No direct internet. Uses NAT Gateway for outbound-only internet.
Security Groups — Stateful firewall. Instance-level. Allow rules only. Return traffic auto-allowed.
Network ACLs (NACLs) — Stateless firewall. Subnet-level. Allow AND deny rules. Must explicitly allow return traffic.
VPC Peering — Private connection between two VPCs. Same or different accounts/regions.
PrivateLink — Expose services privately without traversing the public internet.
💡 Exam Tips
Security Groups = STATEFUL + instance-level. NACLs = STATELESS + subnet-level. NAT Gateway allows private subnets → internet (not the reverse). Internet Gateway is required for public subnets. These distinctions are heavily tested.
▼
Key Concepts
Caches content at Edge Locations closest to the user. Reduces origin load + latency.
Origins — S3 buckets, EC2, ALB, custom HTTP servers
Integrates with WAF (security) and Shield Advanced (DDoS)
Signed URLs/Cookies for private content access control
💡 Exam Tips
CloudFront = CDN = cache at edge for fast global delivery. S3 Transfer Acceleration also uses edge locations but for fast UPLOADS to S3 (not caching downloads). Don't confuse them.
▼
Routing Policies
Simple — One resource, no health checks.
Weighted — Split traffic by % (A/B testing, gradual rollout).
Failover — Primary + secondary; automatic failover on health check failure.
Latency — Route to the AWS Region with lowest latency for the user.
Geolocation — Route based on user's country or continent.
💡 Exam Tips
Route 53 = DNS + health checks + global routing. Global service (not regional). Named after port 53 (DNS). Failover routing = disaster recovery DNS. Latency routing = performance optimisation.
▼
Types
ALB (Application) — Layer 7. Routes on HTTP path, hostname, headers. Best for web apps and microservices.
NLB (Network) — Layer 4. Ultra-low latency. Static IP. Millions of req/sec. TCP/UDP workloads.
GLB (Gateway) — Routes traffic through third-party security appliances (firewalls, IDS).
💡 Exam Tips
ALB = HTTP/HTTPS content-based routing (Layer 7). NLB = TCP/UDP extreme performance (Layer 4). "Route based on URL path" = ALB. "Static IP + extreme throughput" = NLB.
▼
Key Concepts
Physical dedicated connection. Bypasses public internet. 1 or 10 Gbps.
More consistent than VPN (no internet congestion/latency variation).
Takes weeks to provision (physical hardware installation).
Site-to-Site VPN — Faster to set up, cheaper, but over public internet. Encrypted.
💡 Exam Tips
Direct Connect = private line = consistent bandwidth, low latency, no internet. VPN = internet-based = cheaper, quick, variable. "Consistent bandwidth" or "reduce internet dependency" = Direct Connect.
▼
Key Concepts
Publisher sends to a Topic → SNS fans out to all subscribers instantly
Subscribers: Email, SMS, Lambda, SQS, HTTP endpoints, mobile push
Fan-out pattern: one event → many systems notified simultaneously
💡 Exam Tips
SNS = PUSH, pub/sub, fan-out (1 → many). SQS = PULL, queue, buffer (1 → 1). Common pattern: SNS Topic → multiple SQS queues. SNS notifies immediately; SQS stores until polled.
▼
Key Concepts
Standard Queue — At-least-once, best-effort ordering. Nearly unlimited throughput.
FIFO Queue — Exactly-once, strict ordering. Up to 3,000 msg/sec.
Visibility Timeout — Hides a message after receipt (prevents double-processing).
Dead Letter Queue — Catches messages that fail after N retries.
Messages retained up to 14 days.
💡 Exam Tips
"Decouple application components" = SQS (classic exam answer). FIFO = order matters + exactly-once. DLQ = debug failed messages. SQS buffers; producers and consumers can scale independently.
▼
Key Concepts
The modern replacement for CloudWatch Events. Same underlying API. CloudWatch Events is now legacy — no new features being added.
Routes events from AWS services, custom apps, and SaaS partners (Zendesk, Datadog, Stripe)
EventBridge Scheduler — Replaced CloudWatch Events cron rules. Recommended for all scheduled tasks.
Event buses: default (AWS services), custom (your apps), partner (SaaS)
💡 Exam Tips
EventBridge = event routing + scheduling + SaaS integration. "React to changes in AWS resources" = EventBridge. CloudWatch Events is now considered legacy — any new content or questions should reference EventBridge instead.
▼
Capabilities
Face detection, comparison, and search in photos and video
Object, scene, and activity detection
Text in images (OCR) and content moderation
💡 Exam Tips
Rekognition = image and video AI. No ML expertise needed. "Detect faces in uploaded photos" or "moderate user content" = Rekognition.
▼
Service Quick Map (must memorise)
Transcribe — Speech → Text (audio/video files to text transcripts)
Polly — Text → Speech (converts text into realistic audio)
Translate — Language → Language (machine translation, like Google Translate)
Comprehend — Text → Insights (sentiment, entities, key phrases, language detection)
Lex — Build conversational chatbots (same tech as Alexa — speech + text)
Textract — Extract text, tables, and forms from scanned documents (beyond basic OCR)
💡 Exam Tips
Memorise this mapping. Common exam patterns: "audio file to text" = Transcribe, "text to lifelike speech" = Polly, "analyse sentiment in customer reviews" = Comprehend, "chatbot for customer service" = Lex, "read data from a scanned form" = Textract.
▼
Key Concepts
Full ML lifecycle: data prep → labelling → training → tuning → deployment → monitoring
You build the model. You need ML expertise.
AI services (Rekognition, Comprehend, etc.) = pre-built, no expertise needed.
💡 Exam Tips
SageMaker = custom ML model development. AI services = call an API, get results, no training needed. "Build and train our own model" = SageMaker. "Use ML without writing any ML code" = AI services.
▼
Key Concepts
Access to foundation models from Anthropic (Claude), Stability AI, Meta, Mistral, and Amazon Titan via API — no GPU setup needed.
Serverless — pay per token/API call. No model infrastructure to manage.
Knowledge Bases (RAG) — Connect your own data sources to ground LLM responses.
Agents — Build autonomous AI agents that can call APIs and complete multi-step tasks.
💡 Exam Tips
Bedrock = access to large language models (LLMs) without managing infrastructure. "Build a chatbot using a foundation model" = Bedrock. "Train a custom ML model" = SageMaker. Bedrock is increasingly tested on CLF-C02 as of 2025-2026.
▼
Key Concepts
Run SQL queries on data stored in S3. No infrastructure to provision.
Pay per query (per TB scanned). Use Parquet/ORC formats to reduce costs.
Works with AWS Glue (data catalog) and QuickSight (visualisation).
💡 Exam Tips
"Query data in S3 using SQL without loading it into a database" = Athena. Serverless + pay-per-query. Ad-hoc analysis on data lake.
▼
Key Concepts
OLAP (analytics) not OLTP (transactions) — different use case from RDS.
Columnar storage + massively parallel processing (MPP). Petabyte scale.
Redshift Spectrum — Query data in S3 directly from Redshift.
💡 Exam Tips
Redshift = data warehouse = complex analytical queries on large historical datasets. RDS = day-to-day operational database. Athena = quick ad-hoc SQL on S3. Redshift = planned, recurring BI reports.
▼
Key Features
Metrics — CPU, network, disk, custom app metrics
Alarms — Trigger SNS, Auto Scaling actions, or EC2 actions on metric thresholds
Logs — Centralised log aggregation and search
Dashboards — Visualise metrics across services
💡 Exam Tips
CloudWatch = PERFORMANCE monitoring (metrics, CPU, memory, custom). CloudTrail = AUDIT log (who did what API call). This is the #1 most-confused pair. CloudWatch alarms + Auto Scaling = automatic right-sizing response.
▼
Key Concepts
Stack — A collection of AWS resources managed as a unit
Template — JSON/YAML file defining the resources and their config
Rollback on failure. Free — pay only for the resources it creates.
CDK — AWS Cloud Development Kit. Write CloudFormation in TypeScript, Python, Java, etc.
💡 Exam Tips
"Automate and repeat infrastructure deployment" = CloudFormation. "IaC in a real programming language" = CDK (which generates CloudFormation). Both make infrastructure reusable and version-controlled.
▼
Key Features
Session Manager — Browser-based shell access to EC2. No port 22, no SSH keys, no bastion host needed.
Patch Manager — Automate OS patching for EC2 and on-premises servers.
Run Command — Execute scripts on multiple instances simultaneously.
Parameter Store — Store config values and non-rotating secrets. Cheaper than Secrets Manager.
💡 Exam Tips
Session Manager = secure access to EC2 without SSH or opening port 22. This is the modern, recommended way to connect. Works on-premises too (hybrid). Parameter Store vs Secrets Manager: rotation → Secrets Manager; simple config → Parameter Store.
▼
Migration Types
Homogeneous — Same engine (MySQL → RDS MySQL). Simple, direct.
Heterogeneous — Different engines (Oracle → Aurora). Needs Schema Conversion Tool (SCT) first to convert schema.
Source database stays online during migration (minimal downtime).
💡 Exam Tips
"Migrate database to AWS" = DMS. "Convert schema from Oracle to PostgreSQL" = Schema Conversion Tool (SCT) + DMS. DMS = continuous replication until cutover.
▼
What It Does
Replicates your DynamoDB table across multiple AWS Regions automatically. Applications in each Region can read and write to their local replica — all changes propagate globally. This is active-active (not active-passive).
Key Concepts
Active-active: Every Region can accept both reads AND writes. Changes replicate to all other Regions automatically.
Single-digit millisecond: Users worldwide read and write to their nearest Region, achieving low local latency.
Auto-scales capacity: Each Region's capacity scales independently to accommodate the workload.
vs DAX (DynamoDB Accelerator): DAX = in-memory cache for microsecond reads within ONE region. Global Tables = cross-region data replication. These solve different problems.
vs Aurora Multi-Master: Aurora multi-master is relational (SQL); DynamoDB global tables is NoSQL. Not interchangeable.
💡 Exam Tips
"NoSQL database with active-active cross-region replication for global low latency" = DynamoDB Global Tables. If the question says "users in multiple regions need low-latency reads AND writes" — Global Tables. DAX ≠ Global Tables: DAX speeds up reads in one region; Global Tables replicates across regions.
▼
What It Does
SDKs provide language-specific libraries and APIs that simplify calling AWS services from within your application. They handle authentication, retries, error handling, serialisation, and request signing automatically.
Supported Languages
Python (boto3), JavaScript/Node.js (v3), Java, Go, .NET/C#, Ruby, PHP, C++, Rust, Kotlin, Swift
Each SDK is maintained independently and follows its own lifecycle schedule.
SDK vs Other Access Methods
SDK: Use from within application code. Language-specific APIs. Best for embedding AWS calls in your app.
AWS CLI: Command-line tool. Scripting and automation. One unified tool for all services.
AWS Console: Web browser GUI. Manual, visual operations. No scripting.
AWS APIs (REST): Direct HTTP calls. SDK wraps these; use the SDK instead of raw API calls.
💡 Exam Tips
"Use AWS services from within an application using language-specific APIs" = AWS SDK. CLI = command-line scripting. Console = browser GUI. SDK = embedded in application code. IDE (Cloud9) = development environment, not an access method itself.
▼
What It Does
Lets you pause an EC2 instance in a "wait" state during a scale-out (launch) or scale-in (terminate) event so you can run custom actions before the instance becomes live or is destroyed.
Instance State Flow
Scale-out: Pending → Pending:Wait (hook fires) → Pending:Proceed → InService
Scale-in: InService → Terminating → Terminating:Wait (hook fires) → Terminating:Proceed → Terminated
Notification Targets (Updated 2025)
Amazon EventBridge (recommended) — Default when creating hooks via Console. Route to Lambda, Step Functions, or any EventBridge target.
AWS Lambda (direct — new July 2025) — Lambda can now be set directly as the notification target on the lifecycle hook, simplifying the workflow without needing an EventBridge rule.
Amazon SNS / SQS — Available via AWS CLI only (not Console). SNS can email the team; SQS queues the event for a consumer.
Key Config Settings
Heartbeat timeout — 30 to 7200 seconds. Instance stays in wait state for this duration.
Default Result: CONTINUE — Proceeds to InService or next hook after timeout.
Default Result: ABANDON — Immediately terminates the instance.
CompleteLifecycleAction — API call your script makes to signal completion early, before timeout.
Instance Lifecycle Policy (new Nov 2025) — Retain instances when termination hooks fail or time out, giving confidence in graceful shutdown handling.
Common Use Cases
Launch hook: Download app code, install packages, warm up cache before accepting traffic
Terminate hook: Flush logs to S3, drain connections, deregister from service discovery
💡 Exam Tips
Lifecycle Hooks = pause + custom action during scale-out or scale-in. EventBridge → Lambda is the recommended modern pattern (replacing old CloudWatch Events → Lambda). Lambda can also be set directly on the hook since July 2025. The hook keeps the instance in a "wait" state — it does NOT affect traffic until CompleteLifecycleAction or timeout.
▼
Four Modes
Bridge (default Linux) — Uses Docker's built-in virtual network. Containers share the host but are isolated via port mapping. Supports dynamic host port mapping. Lower performance due to virtualisation overhead. Cannot apply security groups per-task.
Host — Bypasses Docker virtual network. Containers share the EC2 host's IP and network namespace directly. Highest performance (no NAT). No port isolation — two containers cannot use the same port on the same host.
awsvpc (recommended) — Each task gets its own Elastic Network Interface (ENI) and private IP from your VPC subnet. Task-level security groups. Uses EC2 network stack for performance. Required for Fargate. Supports IPv6. Best for production.
None — No external networking. Only loopback interface. For isolated batch jobs or custom network drivers.
awsvpc — Key Details
Only mode supported by Fargate. If using Fargate, awsvpc is your only choice.
Each task gets a dedicated ENI → its own IP. Acts like a mini EC2 instance in the VPC.
EC2 launch type with awsvpc: instance has an ENI limit. Enable ENI Trunking to increase task density.
Fargate ephemeral storage now supports up to 200 GB per task (2026).
💡 Exam Tips
awsvpc = VPC-native, task-level security groups, Fargate-required. Bridge = default Linux, dynamic ports, shared host. "Fargate networking mode" = always awsvpc. "Security group per container task" = awsvpc. ENI Trunking solves task density limits with awsvpc on EC2 instances.
▼
Strategy Types
Binpack — Place tasks on instances with the least available CPU or memory. Packs tasks densely → fewer instances → lower cost.
Spread — Place tasks evenly across instances or AZs. Default for ECS services. Best for high availability.
Random — Place tasks randomly. For workloads where placement doesn't matter.
Defaults
RunTask API: tasks placed randomly in a cluster.
CreateService API (services): tasks spread across AZs by default.
Fargate tasks: always spread across AZs by default.
💡 Exam Tips
Binpack = cost savings (fewer hosts). Spread = high availability (multiple AZs). Fargate defaults to spread across AZs. Strategies are best-effort — ECS will try but doesn't guarantee placement if constraints can't be met.
▼
What It Does
Allows a single Provisioned IOPS EBS volume to be attached to up to 16 Nitro-based EC2 instances in the same Availability Zone simultaneously, each with full read/write access.
Key Requirements & Limits
Volume types: io1 and io2 (Provisioned IOPS SSD) only. Not supported on gp2, gp3, st1, or sc1.
io2 Block Express (updated April 2025): As of April 30, 2025, all new and previously created io2 volumes are io2 Block Express. Supports Multi-Attach with NVMe I/O fencing — enabling safe shared storage for Windows and Linux clustered apps like SQL Server Failover Cluster Instances.
Instance requirement: All instances must be Nitro-based and in the same AZ.
io1 Multi-Attach: Limited to specific regions only. Does NOT support I/O fencing.
io2 Multi-Attach: Available in all regions where io2 is available. Supports NVMe reservations (I/O fencing).
Cannot be used as a boot volume. Cannot change volume type, size, or IOPS once Multi-Attach is enabled.
Delete-on-termination: volume only deleted when the LAST attached instance is terminated.
💡 Exam Tips
Multi-Attach = shared EBS, Nitro-based, same AZ, io1 or io2 only, up to 16 instances. Regular EBS = one instance at a time. EFS = shared file storage for multiple instances (different service). "Share a block volume across multiple EC2 instances" = EBS Multi-Attach. "I/O fencing for cluster safety" = io2 Block Express with NVMe reservations.
▼
What It Does
Instead of one complex bucket policy for all users and applications, each access point has its own named endpoint and its own access policy. Simplifies access management for buckets shared by many teams or apps.
Key Features
Each access point has a unique hostname:
name-accountid.s3-accesspoint.region.amazonaws.comVPC restriction: Access point can be restricted to a specific VPC only — traffic never leaves the Amazon network.
Up to 1,000 access points per account per region (default).
Access point policy + bucket policy work together. Bucket must delegate access to the access point.
Free to use — no additional charge.
💡 Exam Tips
"Simplify S3 bucket access for multiple applications or teams" = S3 Access Points. "Restrict S3 access to a specific VPC" = Access Point with VPC origin. Each access point has its own policy → cleaner than one giant bucket policy. Useful for data lake scenarios with many consumers.
▼
What It Does
A VPC endpoint adds a gateway entry in your route table so EC2 instances can reach S3 without going through the public internet, NAT gateways, or internet gateways. S3 traffic stays within the AWS network.
Key Concepts
Regional service — create the endpoint in the same region as your VPC.
Gateway endpoint — S3 and DynamoDB use gateway-type endpoints (free). Adds a route in the route table.
Endpoint policy — Restrict which buckets the endpoint can access. Default: access to all S3.
Bucket policy with
aws:sourceVpc — Restrict a bucket to only allow access from your specific VPC.Bucket policy with
aws:sourceVpce — Restrict access to a specific VPC endpoint ID.Better than NAT gateway for private S3 access: cheaper + more bandwidth.
💡 Exam Tips
"EC2 → S3 without public internet" = VPC endpoint (gateway type). "Restrict S3 access to only your VPC" = bucket policy with aws:sourceVpc. S3 is NOT inside a VPC by default — it has public endpoints. VPC endpoints make it private. No extra cost for S3/DynamoDB gateway endpoints.
▼
Supported Events
Object created (PUT, POST, COPY, multipart upload complete)
Object removed (delete, versioned delete marker)
Object restore (Glacier restore initiated/completed)
Object loss (RRS object lost), replication events
Notification Destinations
Amazon SNS Topic — Fan-out to email, HTTP endpoints, or multiple SQS queues.
Amazon SQS Queue — Buffer events for downstream processing.
AWS Lambda — Invoke a function directly for real-time processing (resize images, validate files, etc.).
SNS must have a resource policy allowing S3 to publish to it.
💡 Exam Tips
"Trigger a Lambda when a file is uploaded to S3" = S3 Event Notifications → Lambda. "Notify a team by email when an object is deleted" = S3 Event → SNS → email subscription. S3 events carry metadata: event name, time, bucket, object key, user identity, and source IP — useful for audit/investigation scenarios.
▼
What It Does
When a requester calls GET on an S3 Object Lambda Access Point, your Lambda function intercepts the request, transforms the data (e.g. redact PII, convert format, compress), and returns the modified version. The original object in S3 is never changed.
Key Concepts
Requires: S3 Bucket → S3 Access Point → S3 Object Lambda Access Point → Lambda function.
Lambda receives a pre-signed URL to fetch the original object and writes the transformed response via
write_get_object_response.Common uses: redact PII (mask SSNs/emails), format conversion (XML→JSON), watermark images, decompress files.
No need to store multiple versions of the same data.
💡 Exam Tips
"Serve different versions of the same S3 data to different users without duplicating storage" = S3 Object Lambda. "Redact sensitive fields from S3 objects before serving" = S3 Object Lambda. Original data is never modified — transformation is live at read time.
▼
What It Does
OAC restricts an S3 bucket so objects can only be accessed via a designated CloudFront distribution — not directly via the S3 URL. Uses SigV4 signing for every request.
OAC vs OAI — The Key Differences
OAI (legacy — not recommended): Uses a canonical user ID. Works only in regions that existed before December 2022. No SSE-KMS support. Does not support PUT/DELETE (GET only). AWS has deprecated OAI in favour of OAC.
OAC (current standard): SigV4 signing. Works in ALL AWS regions including new opt-in regions. Supports SSE-KMS encrypted S3 objects. Supports all HTTP methods (GET, PUT, DELETE, POST). Better confused deputy protection via resource-based policies. Recommended for all new distributions.
Setup Pattern
1. Create OAC in CloudFront console (Security → Origin access).
2. Create/update distribution to use OAC for the S3 origin.
3. Update S3 bucket policy to allow
s3:GetObject only for cloudfront.amazonaws.com with a condition on the distribution ARN.4. Remove public access from the S3 bucket — objects now only accessible via CloudFront.
💡 Exam Tips
OAI is deprecated — OAC is the current answer for "restrict S3 to CloudFront only." OAC supports SSE-KMS (OAI does not). OAC works in all regions (OAI stopped supporting new regions after Dec 2022). "Prevent direct S3 URL access, serve only via CloudFront" = OAC.
▼
What It Does
Automates EBS snapshot creation, retention periods, and deletion based on policies you define. Target resources by tag. No manual snapshot management required.
Key Concepts
Define policies: target by resource tag (e.g. Environment=Production), schedule frequency, and retention count.
Helps with compliance (retain 12 months), cost reduction (auto-delete old snapshots), and RPO/RTO requirements.
Alternative: AWS Backup — more comprehensive, covers RDS, EFS, DynamoDB in addition to EBS.
💡 Exam Tips
"Automate EBS snapshot backups and clean up old ones" = Data Lifecycle Manager (DLM). "Centralised backup across EC2, RDS, DynamoDB, EFS" = AWS Backup. DLM is EBS-focused; AWS Backup is multi-service.
▼
Current Supported Runtimes (as of mid-2026)
Node.js 22.x, 24.x — Node.js 24 added November 2025. Latest LTS, supported until ~April 2028.
Python 3.12, 3.13
Java 21, Java 25
.NET 8
Ruby 3.3
All on Amazon Linux 2023 base (AL2023) — recommended for new functions.
End-of-Life / Deprecated Runtimes
Node.js 16.x, 18.x — End of support reached. No new deployments allowed.
Node.js 20.x — EOL April 2026. Deployments will fail after September 2026 if not upgraded.
Python 3.9, 3.10, 3.11 — On Amazon Linux 2 (AL2 scheduled for EOL June 30, 2026). Migrate to AL2023-based runtimes.
Java 8 (AL2), Java 11, Java 17 — AL2-based, migrating to AL2023 versions before end of Q2 2026.
💡 Exam Tips
Lambda runtimes follow the upstream language EOL schedule. The document's sample code used Node.js — note that older Node runtimes (16, 18) are now deprecated. For any new Lambda work, use the latest AL2023-based runtime. Deprecated runtimes: no security patches, no new deployments after the hard-stop date. Always upgrade before EOL.
▼
What It Does
Apply key-value tags to AWS resources (S3 buckets, EC2, RDS, etc.), activate those tag keys in the Billing console, and then filter Cost Explorer and Cost & Usage Reports by tag to see per-resource, per-team, or per-project costs.
Key Concepts
Tags must be activated as cost allocation tags in the Billing and Cost Management console before they appear in Cost Explorer.
Activation can take up to 24 hours to appear; Cost Explorer data then up to another 24 hours.
Two types: AWS-generated (e.g. createdBy) and user-defined (your own key-value pairs).
Use with Cost & Usage Reports (CUR) for detailed per-bucket/per-resource billing analysis.
💡 Exam Tips
"See which S3 bucket costs the most" = Cost Allocation Tags + Cost Explorer. Tagging strategy is a best practice for cost governance in multi-team organisations. Tags alone don't show in Cost Explorer — they must be activated first. AWS Organisations can enforce mandatory tags via SCPs or Tag Policies.
▼
What It Does
Creates an immutable vault lock policy on S3 Glacier vaults that enforces Write Once Read Many (WORM) compliance. Once locked, the policy cannot be changed or deleted — not even by AWS.
Two-Step Locking Process
Step 1 — Initiate Lock: POST request attaches the policy and returns a lock ID. Vault enters "in-progress" state. You have 24 hours to validate.
Step 2 — Complete Lock: POST with the lock ID to finalise. Once complete, policy is permanent and immutable.
If not completed within 24 hours, the lock operation is automatically aborted (gives you time to test).
To abort while in-progress: send DELETE request to the lock policy URI.
💡 Exam Tips
Glacier Vault Lock = WORM compliance for archives. "Data that cannot be modified or deleted for X years" = Vault Lock policy. Two-step process gives a 24-hour validation window before the policy becomes irrevocable. Used for regulatory compliance (SEC 17a-4, HIPAA, etc.).
▼
Two Integration Types
AWS_PROXY (Lambda Proxy) — Simplest setup. API Gateway passes the entire HTTP request (headers, path, query params, body) directly to Lambda as-is. Lambda returns the full response object. No mapping templates needed. Recommended for most use cases.
AWS (Lambda Custom) — You define request/response mapping templates. Gives fine-grained control over transformation. More complex; use when you need to reshape the request before Lambda sees it.
Key Concepts
API Gateway handles: SSL termination, authorisation (IAM, Cognito, Lambda authorisers), throttling, caching, and CORS.
Stages — Deployments are versioned into stages (v1, prod, staging). Changes only take effect after redeployment to a stage.
REST API vs HTTP API: HTTP API is cheaper, faster, lower-latency. REST API has more features (WAF, usage plans, custom authorisers).
💡 Exam Tips
API Gateway + Lambda = the serverless API pattern. AWS_PROXY = pass everything through unchanged (simpler). AWS integration = transform request/response (complex). "Build an API without managing servers" = API Gateway + Lambda. Changes in API Gateway don't go live until you redeploy to a stage.
Domain 4 — Billing, Pricing & Support
Pricing models, cost tools, support plans — fully updated for 2026
12% of Exam
AWS Pricing — Core Principles
Pay-as-you-go
Only pay for what you use. No upfront. No long-term contracts.
Pay less when you reserve
Commit 1–3 years for up to 72% savings vs On-Demand.
Pay less with more use
Volume discounts — the more you store/transfer, the lower the per-unit cost.
Outbound data transfer costs
Data IN to AWS is free. Data OUT to internet costs. Data between services in same region = free.
▼
Free web tool. Configure services and see projected monthly cost. Used for budgeting and project proposals.
💡 Exam Tips
"Estimate costs BEFORE deployment" = Pricing Calculator. "View/analyse CURRENT or PAST charges" = Cost Explorer. "Set spending limits and alerts" = Budgets. "Build a business case to migrate from on-prem" = Migration Evaluator (replaced old TCO Calculator).
▼
Key Features
13-month historical view + 12-month cost forecasting
Filter by service, region, tag, account, or linked account
Rightsizing recommendations — Suggests downsizing over-provisioned EC2 instances
Savings Plans and RI coverage reports
💡 Exam Tips
Cost Explorer = analyse past spending + forecast future. Rightsizing = identify and reduce waste. Free to use. The go-to tool for "where is my money going?" questions.
▼
Budget Types
Cost budget — Alert when spend exceeds $X
Usage budget — Alert when you exceed X EC2 hours or S3 GB
Savings Plans / RI budget — Track utilisation of commitments
Can trigger automated actions (stop EC2, restrict IAM) when breached
💡 Exam Tips
"Alert when costs exceed a threshold" = AWS Budgets. First 2 budgets are free. Can send via SNS, email, or Slack. Budgets = proactive spending control; Cost Explorer = reactive analysis.
▼
5 Check Categories
Cost Optimization — Idle resources, RI recommendations, underutilised EC2
Performance — High-utilisation instances that need scaling
Security — Open ports, public S3 buckets, MFA on root, IAM issues
Fault Tolerance — Missing backups, single-AZ setups
Service Limits — Usage approaching AWS service quotas
💡 Exam Tips
Basic plan = 7 core security checks only. Business Support+ and above = ALL 500+ checks. Trusted Advisor is your automated account auditor. "Checks your account for best practices" = Trusted Advisor.
▼
Estimates cost savings of migrating from on-premises to AWS. Accounts for hardware, power, cooling, real estate, and IT labour. Replaced the legacy AWS TCO Calculator.
💡 Exam Tips
"Compare on-prem vs AWS costs" or "build a business case for cloud migration" = Migration Evaluator. The old TCO Calculator is deprecated. Some older study materials may still reference TCO Calculator — Migration Evaluator is the current tool.
AWS Support Plans Restructured Dec 2025 · End-of-Life Jan 2027
✅ Currently Active Plans (as of June 2026)
There are 5 plans available today:
Basic (free, always), Developer (transitional), Business Support+ (new), Enterprise (new), Unified Operations (new).
Developer Support, Business Support, and Enterprise On-Ramp still work for existing subscribers — they just cannot be newly purchased and will be shut down January 1, 2027.
Basic (free, always), Developer (transitional), Business Support+ (new), Enterprise (new), Unified Operations (new).
Developer Support, Business Support, and Enterprise On-Ramp still work for existing subscribers — they just cannot be newly purchased and will be shut down January 1, 2027.
⚠️ End-of-Life: January 1, 2027
Developer Support — customers must actively upgrade to Business Support+ or will be downgraded to Basic.
Business Support — customers must actively upgrade to Business Support+.
Enterprise On-Ramp — customers auto-upgraded to Enterprise Support (no action needed).
Exception: all three legacy plans remain in AWS GovCloud (US) indefinitely.
Business Support — customers must actively upgrade to Business Support+.
Enterprise On-Ramp — customers auto-upgraded to Enterprise Support (no action needed).
Exception: all three legacy plans remain in AWS GovCloud (US) indefinitely.
🆕 AWS DevOps Agent — Included in All Paid Plans (GA March 2026)
Included in Business Support+, Enterprise, and Unified Operations. An always-on AI operations assistant that autonomously investigates incidents — correlating metrics, logs, traces, and recent deployments — before you raise a ticket.
Legacy Plans — Still Testable on CLF-C02 Until Retired
| Feature | Basic (always free) | Developer EOL Jan 2027 | Business EOL Jan 2027 |
|---|---|---|---|
| Monthly Min. | Free | $29/month | $100/month |
| Technical Support Access | None — docs, AWS Health, re:Post only | Business hours email only · 1 primary contact · Unlimited cases | 24/7 phone, chat, email · Unlimited contacts |
| Trusted Advisor | 7 core checks only | 7 core checks only | Full 500+ checks |
| General Guidance Response | — | < 24 business hours | < 24 hours |
| System Impaired | — | < 12 business hours | < 12 hours |
| Production Down | — | — | < 1 hour |
| TAM | — | — | — |
| Use Case | Getting started, non-production | Testing / early dev. Business hours support. | Production workloads requiring 24/7 support |
New Plans (from Dec 2025) — The Future Structure
| Feature | Business Support+ | Enterprise | Unified Operations |
|---|---|---|---|
| Monthly Min. | $29/month | $5,000/month | $50,000/month |
| Technical Support | 24/7 phone, chat, email · Unlimited contacts | 24/7 phone, chat, email · Unlimited contacts | 24/7 phone, chat, email · Unlimited contacts |
| AI Assistance | ✓ AI-powered contextual (24/7) | ✓ AI-powered contextual (24/7) | ✓ AI-powered contextual (24/7) |
| AWS DevOps Agent | ✓ Included (usage credit) | ✓ Included (usage credit) | ✓ Included (usage credit) |
| Trusted Advisor | Full 500+ checks | Full + Priority (TAM-curated) | Full + Priority |
| TAM / Specialists | — | ✓ Designated TAM | ✓ TAM + DSE + IME (24/7 monitoring) |
| Security Incident Response | Add-on (extra cost) | ✓ Included free | ✓ Included free |
| Well-Architected Reviews | — | ✓ | ✓ Continuous |
| Critical Response Time | < 30 min | < 15 min | < 5 min (via IME) |
| Production Down | < 1 hour | < 1 hour | < 1 hour |
💡 Exam Tips — Support Plans (one of the most-tested topics)
Developer Support still exists — it's a real plan with business-hours email support, $29/month minimum, 7 Trusted Advisor checks. It ends Jan 1, 2027 but is testable now.
Key Developer Support facts: Business hours email only (NOT 24/7). 1 primary contact. <24h general guidance. <12h system impaired. No phone/chat.
What separates the plans:
• Basic → Developer: adds email support (business hours only)
• Developer → Business/Business Support+: adds 24/7 phone + all Trusted Advisor checks
• Business Support+ → Enterprise: adds TAM + Well-Architected Reviews
• Enterprise → Unified Operations: adds Domain Specialists + 24/7 proactive monitoring
TAM = Enterprise and Unified Operations only. Never in Basic, Developer, or Business plans.
GovCloud exception: Developer, Business, and Enterprise On-Ramp remain available in AWS GovCloud.
Key Developer Support facts: Business hours email only (NOT 24/7). 1 primary contact. <24h general guidance. <12h system impaired. No phone/chat.
What separates the plans:
• Basic → Developer: adds email support (business hours only)
• Developer → Business/Business Support+: adds 24/7 phone + all Trusted Advisor checks
• Business Support+ → Enterprise: adds TAM + Well-Architected Reviews
• Enterprise → Unified Operations: adds Domain Specialists + 24/7 proactive monitoring
TAM = Enterprise and Unified Operations only. Never in Basic, Developer, or Business plans.
GovCloud exception: Developer, Business, and Enterprise On-Ramp remain available in AWS GovCloud.
AWS Credits — How They Work & Apply
💳 AWS Credits Explained
AWS credits are promotional monetary values automatically applied to your bill to offset costs for eligible services. They auto-apply — you do not manually redeem them each month.
📋 Credit Application Order
When you have multiple credits, AWS applies them in this exact order:
1. Soonest to expire — oldest expiry date applied first
2. Fewest eligible services — most restrictive credit applied first
3. Oldest credit — created earliest applied first
Credits are applied until exhausted or they expire. Expired credits cannot be recovered.
1. Soonest to expire — oldest expiry date applied first
2. Fewest eligible services — most restrictive credit applied first
3. Oldest credit — created earliest applied first
Credits are applied until exhausted or they expire. Expired credits cannot be recovered.
📌 Key Credit Rules
• Credits apply to eligible services only (not all services qualify)
• Credits expire on a fixed date — no rollover, no extension
• Multiple credits: the most restrictive (fewest services) applies first
• Credits do not carry across accounts by default
• Free Tier credits expire 12 months from account creation
• Joining AWS Organizations or Control Tower immediately expires Free Tier credits
• Credits expire on a fixed date — no rollover, no extension
• Multiple credits: the most restrictive (fewest services) applies first
• Credits do not carry across accounts by default
• Free Tier credits expire 12 months from account creation
• Joining AWS Organizations or Control Tower immediately expires Free Tier credits
💡 Exam Tips — AWS Credits (scenario-style question)
Classic CLF-C02 question pattern: "You have Credit A ($100, expires July, applies to EC2 only) and Credit B ($50, expires December, applies to EC2 and S3). Your bill is $200 EC2 + $100 S3. Which credit applies first?"
Answer: Credit A first (soonest expiry + fewer eligible services). Apply $100 to EC2 → EC2 bill becomes $100. Then Credit B applies to remaining EC2 → EC2 bill becomes $50. You pay $50 EC2 + $100 S3 = $150 total.
The three rules in order: Soonest expiry → Fewest products → Oldest credit. Memorise this order.
Answer: Credit A first (soonest expiry + fewer eligible services). Apply $100 to EC2 → EC2 bill becomes $100. Then Credit B applies to remaining EC2 → EC2 bill becomes $50. You pay $50 EC2 + $100 S3 = $150 total.
The three rules in order: Soonest expiry → Fewest products → Oldest credit. Memorise this order.
AWS Free Tier
Always Free
No expiry. For all accounts. Examples: 1M Lambda requests/mo, 10 CloudWatch custom metrics, DynamoDB 25GB.
12 Months Free
From account creation date. Examples: 750 hrs EC2 t2.micro/mo, 5GB S3 Standard, 750 hrs RDS db.t2.micro.
Short-Term Trials
Time-limited from first use. Examples: 90 days Amazon Inspector, 30 days AWS Security Hub.
🔍
No services found for that search. Try a different term.