Cost + Performance (Read-Heavy API)
β
Answer: Enable Amazon API Gateway Caching.
π‘ Why: When read traffic is high and data can be stale (up to 24 hours), API Gateway cache + TTL reduces Lambda/Aurora calls, improving latency and lowering database cost.
π Keywords: API Gateway Caching, TTL, Read-heavy, Cost Optimization, Performance
Hybrid Multi-Region Connectivity
β
Answer: Connect both Direct Connect links to a shared Direct Connect Gateway and attach each region's VGW.
π‘ Why: Direct Connect Gateway supports transitive routing across regions and on-prem locations with lower operational overhead than managing complex peering/VPN combinations.
π Keywords: Direct Connect Gateway, VGW, Transitive Routing, Hybrid Cloud, Multi-Region, Direct Connect
Geographic Traffic Steering
β
Answer: Use Route 53 Geoproximity routing.
π‘ Why: Geoproximity routing can dynamically shift which geographic area routes to a resource by applying a bias value.
π Keywords: Geoproximity Routing, Route 53, Bias, Geographic Routing, Dynamic Traffic Routing
Reusable Best-Practice Infrastructure
β
Answer: Use AWS CloudFormation to manage RDS databases via reusable templates.
π‘ Why: CloudFormation is Infrastructure as Code β encode best practices once into a template and every user/team reuses it. Trusted Advisor only recommends; Lambda alerts are reactive; IAM deny doesn't guide correct config.
π Keywords: CloudFormation, Infrastructure as Code, IaC, Reusable Template, Best Practices, JSON/YAML
Message Broker with MQTT Protocol
β
Answer: Use Amazon MQ for managed message broker with MQTT support.
π‘ Why: Amazon MQ supports industry-standard protocols (JMS, AMQP, STOMP, MQTT, WebSocket). SQS/SNS/Kinesis are AWS-proprietary and do not support MQTT β no code changes needed with Amazon MQ.
π Keywords: Amazon MQ, MQTT, AMQP, STOMP, ActiveMQ, Lift-and-Shift, Message Broker, Protocol Support
One-Time 1 PB S3 Cross-Region Copy
β
Answer: Use aws s3 sync command OR S3 Batch Replication (then delete the replication config).
π‘ Why: s3 sync uses CopyObject API and is idempotent. Batch Replication handles existing objects cross-region. Snowball is for on-premβAWS only. S3 console is not feasible at PB scale. Transfer Acceleration speeds clientβS3, not bucket-to-bucket.
π Keywords: s3 sync, S3 Batch Replication, CopyObject, Cross-Region, One-Time Copy, CDC, Region-to-Region
Async Image Processing, Cost Minimization
β
Answer: Amazon SQS + EC2 Spot Instances.
π‘ Why: SQS buffers jobs asynchronously with built-in retry. Spot Instances cost up to 90% less than On-Demand. Reserved Instances require 1-3 year commitment β wrong for variable load. SNS has no retry/queue behavior.
π Keywords: SQS, Spot Instances, Async Processing, Retry, Cost Optimization, Decoupling, Queue
Cheapest Multi-VPC Connectivity (Same Account)
β
Answer: Use VPC Peering.
π‘ Why: VPC Peering is the most cost-effective solution for connecting VPCs within the same account. Direct Connect is for on-premises. NAT Gateway is for internet access. Internet Gateway is for public internet.
π Keywords: VPC Peering, Same Account, Cost-Effective, Private Connectivity, Non-Transitive
Proactive + Reactive EC2 Scaling
β
Answer: Predictive Scaling + Dynamic Scaling with Target Tracking.
π‘ Why: Predictive Scaling uses ML on historical data to pre-warm capacity. Target Tracking reacts in real-time to maintain a metric (e.g. CPU at 60%). Combined = forecast + react. Step Scaling is reactive only. Scheduled Scaling can't adapt dynamically.
π Keywords: Predictive Scaling, Target Tracking, Dynamic Scaling, ML Forecast, Historical Patterns, Auto Scaling Group
ALB Marks All Instances Unhealthy
β
Answer: (1) Health check route is misconfigured OR (2) EC2 security group blocks ALB traffic.
π‘ Why: If the site loads via IP but ALB marks instances unhealthy, the ALB is hitting the wrong path OR the security group isn't allowing traffic from the ALB's security group on the health check port. EIPs, EBS volumes, and app runtime are not relevant.
π Keywords: Health Check Route, Security Group, ALB, Unhealthy Targets, Listener Port, Health Check Port
Real-Time Streaming Analytics to S3
β
Answer: Kinesis Data Streams β Kinesis Data Analytics β Kinesis Data Firehose β S3.
π‘ Why: KDS ingests, KDA runs real-time SQL on the stream, KDF delivers to S3. Athena is batch/interactive β not real-time. QuickSight can't consume KDS directly. SQS+EC2 isn't purpose-built for streaming analytics.
π Keywords: Kinesis Data Streams, Kinesis Data Analytics, Kinesis Firehose, Real-Time Analytics, Streaming Pipeline, KDSβKDAβKDFβS3
Hybrid Storage: Cached vs Stored Volumes
β
Answer: Storage Gateway β Cached Volumes.
π‘ Why: Cached Volumes store primary data in S3 and cache frequently accessed data locally β minimizes local storage. Stored Volumes keep full dataset on-prem with async snapshots to S3 β still requires large local storage and recovery needs restore from S3.
π Keywords: Storage Gateway, Cached Volumes, Stored Volumes, S3 Primary, Local Cache, Hybrid Cloud, Bandwidth Optimization
ASG Minimum Capacity + Cost for HA
β
Answer: Minimum capacity = 2 + use Reserved Instances for the minimum baseline.
π‘ Why: Min=2 ensures HA across AZs (ASG recovers to 2 after an AZ failure). Min=1 is a single point of failure. Min=3 wastes cost. Reserve only the always-on minimum for maximum savings; use On-Demand/Spot for burst.
π Keywords: Auto Scaling Group, Minimum Capacity, Reserved Instances, High Availability, Multi-AZ, Cost Optimization, HA Baseline
Static IP for Firewall Whitelisting
β
Answer: Use a Network Load Balancer (NLB) with an Auto Scaling Group.
π‘ Why: NLB exposes a fixed static IP per AZ (or Elastic IP) that can be whitelisted. ALB and CLB expose a DNS name only β no static IP. There is no "dynamic EIP attachment" feature in ASG.
π Keywords: Network Load Balancer, NLB, Static IP, Elastic IP, Firewall Whitelist, Layer 4, Fixed IP
Graph Database for Social Queries
β
Answer: Use Amazon Neptune.
π‘ Why: Neptune is a purpose-built graph database optimized for highly connected datasets and relationship queries. Redshift is a data warehouse. OpenSearch is for log/search. Aurora is relational with poor deep graph traversal.
π Keywords: Amazon Neptune, Graph Database, Highly Connected, Relationships, Social Network, Gremlin, SPARQL, Recommendation Engine
Identify Idle EC2s + Right-Sizing
β
Answer: AWS Cost Optimization Hub + AWS Compute Optimizer.
π‘ Why: Cost Optimization Hub consolidates recommendations (idle resources, RIs, Savings Plans) across all accounts. Compute Optimizer uses ML for instance type right-sizing. S3 Storage Class Analysis only covers StandardβIA transitions (NOT Glacier). Trusted Advisor does NOT auto-renew RIs.
π Keywords: Cost Optimization Hub, Compute Optimizer, Right-Sizing, Idle Resources, Savings Plans, Reserved Instances, Cost Dashboard
Annual Key Rotation for S3 Encryption
β
Answer: KMS Customer Managed Key (CMK) with automatic rotation enabled + S3 default encryption set to that CMK.
π‘ Why: CMK auto-rotation is user-configurable, auditable, and rotates every 12 months automatically. SSE-S3 keys are not user-configurable or auditable. Imported key material disables auto-rotation. CloudHSM requires manual key management β highest overhead.
π Keywords: KMS, Customer Managed Key, CMK, Automatic Key Rotation, Annual Rotation, SSE-KMS, S3 Encryption, Auditable
Stream S3 Files into Kinesis (Fastest, No Code)
β
Answer: Use AWS DMS (Database Migration Service) as bridge from S3 to Kinesis Data Streams.
π‘ Why: DMS natively supports S3 as source and Kinesis as target, handles full load AND CDC with no custom code. EventBridge+Lambda requires CloudTrail + custom development. S3 event notifications require significant custom code. S3 cannot directly write to SNS.
π Keywords: AWS DMS, S3 to Kinesis, CDC, Change Data Capture, No Code, Full Load, Streaming, Database Migration Service
EFS for Sporadic Bursts, Low Average Throughput
β
Answer: EFS Burst Throughput Mode + General Purpose performance mode + EFS Standard storage class.
π‘ Why: Burst mode earns credits during idle periods and spends them during bursts β fully automatic, no manual config. Provisioned Throughput costs more for low-average workloads. One Zone doesn't auto-enable burst mode. EFS IA adds retrieval latency during bursts.
π Keywords: EFS, Burst Throughput, Burst Credits, General Purpose, Sporadic, Automatic Scaling, No Provisioning
Stable IPs for Multi-Region ALBs
β
Answer: Use AWS Global Accelerator; register ALBs as endpoints.
π‘ Why: Global Accelerator provides 2 static anycast IPs globally β one-time firewall config. Lambda IP scripts need ongoing updates as IPs change. A single NLB is region-bound. Migrating all ALBs to NLBs still results in multiple IPs per region.
π Keywords: Global Accelerator, Static IP, Anycast, Multi-Region, Firewall Whitelist, One-Time Config, ALB Endpoints
Minimum EFS Latency Across AZs
β
Answer: Create one EFS mount target per Availability Zone and mount from same-AZ instances.
π‘ Why: EC2 connecting to its local AZ mount target keeps traffic within the AZ β lowest latency, no cross-AZ charges. A single mount target forces cross-AZ traffic. Mount targets are VPC-level ENIs managed by EFS, not created on EC2 instances.
π Keywords: EFS, Mount Target, Per-AZ, Local Access, Low Latency, ENI, Cross-AZ, VPC, Best Practice
CloudFront Capabilities (Select Three)
β
Answer: (1) Field-Level Encryption, (2) Route to multiple origins by content type, (3) Origin group for HA/failover.
π‘ Why: CloudFront uses field-level encryption (not KMS directly). Geo restriction blocks countries β it's not for HA. Price class groups edge locations by cost and does NOT route to different origins. Origin groups provide primary/secondary failover.
π Keywords: CloudFront, Field-Level Encryption, Origin Group, Failover, Multiple Origins, Content Type Routing, Geo Restriction, Price Class
Scale VPN Throughput Beyond 1.25 Gbps
β
Answer: AWS Transit Gateway with ECMP routing + multiple VPN tunnels.
π‘ Why: Each VPN tunnel maxes at 1.25 Gbps. TGW + ECMP aggregates multiple tunnels to scale beyond that. Must enable BGP (dynamic routing) on TGW. Virtual Private Gateway does NOT support ECMP. Global Accelerator optimises path but doesn't add VPN bandwidth.
π Keywords: Transit Gateway, ECMP, Equal Cost Multi-Path, VPN Tunnels, BGP, 1.25 Gbps, VPN Throughput, Scalable VPN
Short-Lived RDS Credentials from Lambda
β
Answer: IAM DB Authentication + IAM Role attached to Lambda.
π‘ Why: IAM role on Lambda generates a short-lived DB auth token (15 min lifetime) instead of using static username/password. Traffic is encrypted via SSL. Security group rules control network access, not authentication. VPC placement is network config, not auth.
π Keywords: IAM DB Authentication, IAM Role, Lambda, Short-Lived Token, RDS, PostgreSQL, 15 Minutes, No Password
Cross-Account S3 Access
β
Answer: Use a Bucket Policy (resource-based policy).
π‘ Why: Bucket policies support cross-account principals. User/identity-based policies only apply to principals in YOUR account. Permissions boundary limits max permissions but does not grant access. Both bucket + user policy: the user policy alone still can't cross accounts.
π Keywords: Bucket Policy, Resource-Based Policy, Cross-Account, S3, Principal, Identity Policy vs Resource Policy
Migrate Physical Tapes to AWS
β
Answer: Use AWS Storage Gateway β Tape Gateway (Virtual Tape Library).
π‘ Why: Tape Gateway replaces physical tapes with virtual tapes in S3, with no backup workflow changes. Archives to Glacier/Deep Archive for ultra-low cost. DataSync supports NFS/SMB only β not tape. Direct Connect is for ongoing hybrid connectivity, not one-time tape migration.
π Keywords: Tape Gateway, VTL, Virtual Tape Library, Physical Tapes, S3 Glacier, No Workflow Change, Storage Gateway
S3 Lifecycle: Images vs Thumbnails
β
Answer: (1) Transition /images prefix to Standard-IA after 45 days. (2) Transition ALL objects to Glacier after 180 days (no prefix needed).
π‘ Why: Thumbnails are still active at 45d so only transition images using prefix. At 180d everything archives β no prefix needed. One Zone-IA is not HA (single AZ). Glacier with prefix at 180d is unnecessary β archive everything.
π Keywords: S3 Lifecycle, Prefix, Standard-IA, S3 Glacier, Transition, Selective Transition, Archive All, Lifecycle Policy
Elastic Beanstalk Fast Instance Launch
β
Answer: Golden AMI (static components) + EC2 User Data (dynamic parts at boot).
π‘ Why: Golden AMI pre-bakes the 45-min static install. User Data runs only the fast dynamic config at boot. Using User Data for the full install still takes 45 min. S3 is storage β not an execution environment. Elastic Beanstalk deployment caching does not exist.
π Keywords: Golden AMI, EC2 User Data, Fast Launch, Static Installation, Dynamic Config, Elastic Beanstalk, Pre-baked Image
Prevent Accidental DynamoDB Table Deletion
β
Answer: Enable DynamoDB Deletion Protection.
π‘ Why: Deletion Protection is a simple toggle that prevents any DeleteTable operation β zero ongoing maintenance. PITR restores AFTER deletion (reactive). CloudTrail+EventBridge+Lambda detects but data is already lost. Weekly S3 exports have data-loss gaps and require manual recovery.
π Keywords: DynamoDB, Deletion Protection, Prevent Deletion, Zero Overhead, PITR vs Deletion Protection, Proactive vs Reactive
S3 Bucket Policy IpAddress + NotIpAddress
β
Answer: The policy allows the entire /24 CIDR except one IP (54.240.143.188).
π‘ Why: IpAddress condition = source must be within 54.240.143.0/24. NotIpAddress condition = source must NOT be 54.240.143.188/32. Both must be true (AND logic). Result: all 256 IPs in the /24 are allowed except .188.
π Keywords: Bucket Policy, IpAddress, NotIpAddress, CIDR, Condition, AND Logic, IP Restriction, Allow Except
Route 53 Record Updated but Users Still Hit Old LB
β
Answer: The TTL (Time to Live) is still in effect β DNS resolvers are serving cached records.
π‘ Why: DNS changes don't propagate instantly β resolvers cache the old record until TTL expires. Best practice: lower TTL to 300s before making changes. Simple records have NO health checks. CNAME/Alias misconfiguration would break routing entirely, not just delay it.
π Keywords: Route 53, TTL, Time to Live, DNS Propagation, DNS Cache, Simple Record, No Health Checks
DynamoDB: Idle at Night, Instant Spikes During Day
β
Answer: Use DynamoDB On-Demand Capacity Mode.
π‘ Why: On-Demand pays per request, handles instant spikes with no capacity planning, and costs nothing during idle periods. Provisioned + Auto Scaling introduces CloudWatch alarm lag β not instant. Global Tables are for multi-region replication, not variable load.
π Keywords: DynamoDB, On-Demand, Pay-Per-Request, Unpredictable Traffic, Instant Scale, No Capacity Planning, Bursty Workload
Lambda Best Practices (Select Three)
β
Answer: (1) VPC Lambda needs NAT Gateway for internet access. (2) CloudWatch Alarms on ConcurrentExecutions/Invocations. (3) Lambda Layers for reusable shared code.
π‘ Why: Default Lambda runs in AWS-owned VPC with internet access. VPC-enabled Lambda loses that and needs NAT for public access. Lambda CAN be deployed as container images (supported since 2020). Do NOT over-provision timeout β match it to actual runtime.
π Keywords: Lambda, VPC, NAT Gateway, Lambda Layers, ConcurrentExecutions, CloudWatch Alarm, Container Image, Timeout, Best Practices
IAM's Only Resource-Based Policy
β
Answer: Trust Policy (Role Trust Policy) is the only resource-based policy IAM supports.
π‘ Why: An IAM role is both an identity and a resource β it needs a trust policy defining who can assume it. ACLs are used by S3/VPC, not IAM. Permissions Boundary limits max permissions but doesn't grant access. SCPs are AWS Organizations level.
π Keywords: Trust Policy, IAM Role, Resource-Based Policy, Assume Role, Principal, STS, Permissions Boundary vs Trust Policy
Async Decoupling with SaaS + Third-Party Apps
β
Answer: Use Amazon EventBridge.
π‘ Why: EventBridge is the ONLY AWS event service with native third-party SaaS integration. It ingests events from 90+ AWS services and supports 15+ targets. SNS/SQS have no SaaS integration. ELB is synchronous load balancing β not event-driven.
π Keywords: EventBridge, SaaS Integration, Async Decoupling, Third-Party, Event Bus, Event-Driven, Schema Registry
10x Traffic Spike on Dynamic Website
β
Answer: Use an Auto Scaling Group (ASG).
π‘ Why: ASG automatically adds/removes EC2 instances to handle any traffic level. CloudFront caches STATIC content β useless for highly dynamic content. S3 hosts static sites only. Route 53 Multi-Value is DNS distribution, not compute scaling.
π Keywords: Auto Scaling Group, ASG, Dynamic Content, Traffic Spike, Horizontal Scaling, EC2, CloudFront Static Only
Encrypt RDS Data In-Transit
β
Answer: Configure Amazon RDS to use SSL/TLS.
π‘ Why: SSL/TLS encrypts data moving between the application and RDS. KMS encrypts data AT REST β not in transit. IAM DB auth authenticates users but does not encrypt the channel. Security group changes control network access, not encryption.
π Keywords: RDS, SSL, TLS, Data-in-Transit, Encryption, In-Transit vs At-Rest, PostgreSQL, ssl_ca, Force SSL
π SAA-C03 Complete Coverage β Gap Topics
Critical topics not fully covered by the practice tests. Master these for a high score.
Disaster Recovery β 4 Strategies (RPO / RTO)
β
Answer: Backup & Restore β Pilot Light β Warm Standby β Active-Active (cheapest/slowest to costliest/fastest).
π‘ Why: RPO = how much data you can lose. RTO = how fast you recover. Backup & Restore: hours. Pilot Light: core DB replicating, apps off, RTO minutes. Warm Standby: scaled-down live clone, RTO seconds. Active-Active: full production in 2+ regions, RTO ~zero.
π Keywords: RPO, RTO, Backup & Restore, Pilot Light, Warm Standby, Active-Active, Multi-Site, Disaster Recovery, Cross-Region
Secrets Manager vs SSM Parameter Store
β
Answer: Secrets Manager for automatic credential rotation. Parameter Store for config values and low-cost secret storage.
π‘ Why: Secrets Manager has built-in rotation for RDS/Redshift/DocumentDB and charges ~$0.40/secret/month. Parameter Store is free for standard parameters, supports hierarchy (/app/prod/db), but has no built-in rotation. Keyword 'rotate automatically' always points to Secrets Manager.
π Keywords: Secrets Manager, Parameter Store, Automatic Rotation, Credentials, API Keys, RDS Password Rotation, SecureString, SSM
AWS Organizations & Service Control Policies (SCPs)
β
Answer: SCPs set the MAXIMUM permissions ceiling for entire accounts β they do NOT grant permissions and restrict even the root user.
π‘ Why: Even if an IAM policy allows an action, an SCP deny overrides it. Common exam scenario: 'prevent any account from disabling CloudTrail' or 'restrict regions to us-east-1 only' β attach SCP to root OU. IAM policies work within what SCPs permit.
π Keywords: SCPs, Organizations, OU, Organizational Unit, Permission Ceiling, Root User Restriction, Deny All Regions, Consolidated Billing
Elastic Beanstalk Deployment Strategies
β
Answer: All-at-once (fastest, downtime) β Rolling β Rolling+batch β Immutable (safest rollback) β Blue/Green (zero downtime).
π‘ Why: Blue/Green swaps Route 53 CNAME between two environments β zero downtime, easy rollback. Immutable creates a fresh ASG then swaps β safest but doubles capacity briefly. Traffic Splitting (Canary) sends a % of traffic to new version. All-at-once is fastest but causes downtime in production.
π Keywords: Elastic Beanstalk, Blue/Green, Immutable, Rolling, All-at-once, Traffic Splitting, Canary, Zero Downtime, Deployment Policy
ECS vs EKS vs Fargate
β
Answer: ECS = AWS-native containers. EKS = managed Kubernetes. Fargate = serverless compute for either (no EC2 to manage).
π‘ Why: ECS is simpler with tight AWS integration. EKS is for teams already using Kubernetes or needing multi-cloud portability. Fargate removes server management for both. Keyword 'serverless containers' = Fargate. Keyword 'Kubernetes' = EKS. Keyword 'no server management, AWS-native' = ECS + Fargate.
π Keywords: ECS, EKS, Fargate, Kubernetes, Serverless Containers, Task Definition, Service Auto Scaling, Container Orchestration
AWS Step Functions
β
Answer: Use Step Functions to orchestrate multi-step workflows with retry, error handling, and parallel execution β especially when Lambda chaining gets complex.
π‘ Why: Lambda max runtime is 15 min. Step Functions Standard Workflows can run for up to 1 year. Express Workflows handle high-volume, short-duration tasks. Built-in retry logic, error catching, and human approval states. Keywords: 'long-running workflow', 'orchestrate multiple services', 'human approval' β Step Functions.
π Keywords: Step Functions, State Machine, Workflow Orchestration, Standard Workflow, Express Workflow, Retry, Error Handling, Human Approval
AWS Backup
β
Answer: AWS Backup centralizes backup management across EC2, EBS, RDS, DynamoDB, EFS, FSx, and Storage Gateway from one console.
π‘ Why: Before AWS Backup, you had to configure backup policies service by service. AWS Backup creates backup plans with schedules and retention. Backup Vault Lock enables WORM (Write Once Read Many) for immutable backups β cannot be deleted even by admin. Keyword 'centralized backup compliance' or 'cross-account backup' β AWS Backup.
π Keywords: AWS Backup, Backup Plan, Backup Vault, Vault Lock, WORM, Cross-Region Backup, Cross-Account Backup, Centralized Backup
FSx for Windows vs FSx for Lustre
β
Answer: FSx for Windows = SMB + Active Directory for Windows workloads. FSx for Lustre = sub-millisecond HPC/ML file system.
π‘ Why: FSx for Windows supports DFS namespaces, AD integration, and SMB protocol β ideal for migrating Windows file servers. FSx for Lustre delivers hundreds of GB/s throughput, integrates with S3 for data lake pipelines, and is used for ML training, genomics, financial simulations. Keyword 'Windows file server on AWS' β FSx Windows. Keyword 'HPC, ML training, sub-ms latency' β FSx Lustre.
π Keywords: FSx for Windows, FSx for Lustre, SMB, Active Directory, HPC, ML Training, Sub-millisecond, S3 Integration, Parallel File System
Amazon RDS Proxy
β
Answer: Use RDS Proxy between Lambda and RDS to pool connections and prevent connection exhaustion.
π‘ Why: Lambda can scale to thousands of concurrent executions, each opening a new DB connection β this exhausts RDS max connections. RDS Proxy pools connections, reuses them, and reduces failover time by up to 66%. Supports IAM authentication. If exam says 'Lambda + RDS + connection limit' β answer is RDS Proxy.
π Keywords: RDS Proxy, Connection Pooling, Lambda RDS, Connection Exhaustion, Faster Failover, IAM Auth, Managed Proxy
AWS Config vs CloudTrail
β
Answer: CloudTrail = WHO made the API call. Config = WHAT the resource configuration is and how it changed.
π‘ Why: CloudTrail logs every API call (who, when, from where). Config continuously records resource state and evaluates compliance rules β e.g. 'is this security group open to 0.0.0.0/0?'. Config can auto-remediate via SSM Automation. Use both together: Config detects the misconfiguration, CloudTrail shows who caused it.
π Keywords: AWS Config, CloudTrail, Configuration History, Compliance Rules, Auto-Remediation, Resource State, API Audit Log, WHAT vs WHO
Amazon Macie
β
Answer: Macie uses ML to discover and classify sensitive data (PII, credentials, financial) in Amazon S3.
π‘ Why: Macie scans S3 objects, identifies sensitive content, and alerts on exposed data. GDPR/HIPAA compliance in S3 β Macie. Do NOT confuse: GuardDuty = threat/malicious activity. Inspector = CVE vulnerabilities in EC2/containers. Config = resource compliance. Macie = sensitive DATA in S3.
π Keywords: Macie, PII, Sensitive Data, S3 Classification, GDPR, HIPAA, Data Discovery, ML-powered, Personally Identifiable Information
Cost Explorer vs Budgets vs Cost Anomaly Detection
β
Answer: Cost Explorer = analyze + forecast. AWS Budgets = threshold alerts. Cost Anomaly Detection = ML-powered unexpected spike alerts.
π‘ Why: Cost Explorer shows historical spend, trends, and RI/Savings Plans recommendations. Budgets sends alerts when you hit a defined $ threshold and can trigger automated actions. Cost Anomaly Detection requires no manual threshold β it learns your baseline and alerts when spend deviates unexpectedly. Keyword 'unexpected cost spike' β Anomaly Detection.
π Keywords: Cost Explorer, AWS Budgets, Cost Anomaly Detection, RI Recommendations, Savings Plans, Budget Actions, Forecast, Cost Allocation Tags
Cost Allocation Tags
β
Answer: Activate Cost Allocation Tags in Billing Console to track spend by team, project, or department in Cost Explorer.
π‘ Why: Without tags, all costs are mixed together. Tags like Environment=Production, Team=DataEng allow Cost Explorer to break down spend. Must be ACTIVATED in Billing Console to appear in reports. Use AWS Config rules or SCPs (via Tag Policies) to enforce tagging. Keyword 'showback/chargeback', 'cost by team' β Cost Allocation Tags.
π Keywords: Cost Allocation Tags, Tag Policy, Chargeback, Showback, Billing Console Activation, Cost Explorer Tags, AWS Organizations Tag Policies
AWS Graviton (ARM-based Instances)
β
Answer: Graviton instances (M6g, C7g, R7g, etc.) deliver up to 40% better price-performance than equivalent x86 instances for Linux workloads.
π‘ Why: AWS designed Graviton processors in-house using ARM architecture. They cost less and perform better for most Linux/containerized workloads. NOT for Windows (x86 only) or apps requiring x86 binary compatibility. Keyword 'best price-performance for compute' or 'reduce EC2 cost without Reserved Instances' β Graviton.
π Keywords: Graviton, ARM, M6g, C7g, R7g, Price-Performance, 40% cheaper, Linux, Containerized, AWS-designed
DataSync vs Storage Gateway
β
Answer: DataSync = migrate/transfer data to AWS. Storage Gateway = ongoing hybrid access between on-prem and AWS storage.
π‘ Why: DataSync is for moving data: NFS/SMB on-prem to S3/EFS/FSx. It's fast, encrypted, and validates data integrity. Storage Gateway keeps on-prem apps working while storing data in AWS β File Gateway (S3), Volume Gateway (EBS snapshots), Tape Gateway (Glacier). Keyword 'migrate files to AWS' β DataSync. Keyword 'on-prem apps need AWS storage' β Storage Gateway.
π Keywords: DataSync, Storage Gateway, Migration, Hybrid Storage, NFS, SMB, File Gateway, Volume Gateway, One-Time Transfer, Ongoing Access
VPN: Customer Gateway vs Virtual Private Gateway
β
Answer: VGW (Virtual Private Gateway) = AWS side. CGW (Customer Gateway) = your on-premises router/firewall side.
π‘ Why: Site-to-Site VPN creates 2 encrypted tunnels between CGW and VGW for redundancy. For HA: use 2 CGWs. For throughput scale: replace VGW with Transit Gateway (supports ECMP across multiple VPN tunnels). VGW does NOT support ECMP β only TGW does.
π Keywords: Customer Gateway, Virtual Private Gateway, VGW, CGW, Site-to-Site VPN, IPSec, BGP, Static Routing, Redundancy, Two Tunnels