AWS Solutions Architect Associate Study Guide

Cloud Concepts & AWS Fundamentals

Cloud Computing Models

AWS operates across three primary service models that define responsibility boundaries:

• Infrastructure as a Service (IaaS): You manage applications, data, runtime, middleware, and OS. AWS manages virtualization, servers, storage, and networking. Example: EC2
• Platform as a Service (PaaS): You manage applications and data. AWS manages everything else. Example: Elastic Beanstalk
• Software as a Service (SaaS): AWS manages everything. You only use the application. Example: Amazon WorkSpaces

Deployment Models

• Public Cloud: AWS infrastructure accessible to all customers; multi-tenant environment
• Private Cloud: Infrastructure dedicated to single organization; can be on-premises or AWS Outposts
• Hybrid Cloud: Combination of public and private cloud resources; requires AWS Direct Connect or VPN

AWS Global Infrastructure

Understanding geography is critical for exam success. AWS divides the world into:

Component	Definition	Count
Region	Separate geographic area with multiple Availability Zones	31+ worldwide
Availability Zone (AZ)	Physical data center with redundant power, networking, and connectivity within a Region	99+ total
Edge Location	Site used by CloudFront (CDN) and Route 53 for reduced latency	600+ worldwide
Local Zone	Extension of AWS Region closer to end users for ultra-low latency	Growing

Key AWS Benefits

• Scalability: Grow or shrink resources based on demand without capital investment
• Elasticity: Automatically adjust capacity in real-time
• Reliability: Multi-AZ deployments provide fault tolerance and high availability
• Security: Shared responsibility model with AWS handling infrastructure security
• Cost Efficiency: Pay-as-you-go model eliminates upfront infrastructure costs
• Performance: Global infrastructure enables low-latency deployment anywhere

Shared Responsibility Model

AWS is responsible for "security OF the cloud" (infrastructure, hardware, software, networking, facilities). Customers are responsible for "security IN the cloud" (data encryption, access control, network configuration, application security, OS patching for EC2). This boundary shifts based on service type—IaaS requires more customer responsibility than SaaS.

AWS Compute Services

Compute services are foundational to AWS solutions and include EC2, Lambda, ECS, EKS, and Elastic Beanstalk. Understanding when to use each service is critical for the Solutions Architect Associate exam.

Amazon EC2 (Elastic Compute Cloud)

EC2 provides resizable virtual servers with full control over operating systems, middleware, and applications. Key concepts include:

• Instance types: General purpose (t3, m5), compute optimized (c5), memory optimized (r5), storage optimized (i3), and GPU instances (p3)
• Purchasing options: On-Demand (pay per hour), Reserved Instances (1-3 year commitments, up to 72% discount), Spot Instances (up to 90% discount but can be interrupted), Dedicated Hosts
• Auto Scaling: Automatically adjusts capacity based on demand using launch templates and scaling policies
• Placement groups: Cluster (low-latency), Partition (distributed workloads), or Spread (minimize correlated failures)

AWS Lambda

Serverless compute that executes code without managing servers. Lambda is ideal for event-driven workloads with unpredictable traffic patterns.

• Pricing: Based on invocations and duration (1ms increments)
• Timeout limit: Maximum 15 minutes execution time
• Memory allocation: 128 MB to 10,240 MB; CPU scales proportionally with memory
• Concurrent execution limit: Default 1,000 per account per region (adjustable)
• Triggers: API Gateway, S3, DynamoDB Streams, SNS, CloudWatch Events, SQS, Kinesis

Container Services

Amazon ECS (Elastic Container Service): Managed container orchestration supporting Docker. Use EC2 or Fargate launch types. Simpler than Kubernetes with AWS integration.

Amazon EKS (Elastic Kubernetes Service): Managed Kubernetes service for users requiring Kubernetes-specific features or multi-cloud portability.

AWS Elastic Beanstalk

Platform-as-a-Service (PaaS) for deploying web applications and APIs. Automatically handles capacity provisioning, load balancing, and scaling. Ideal for developers who want to avoid infrastructure management.

Service Selection Matrix

Service	Best For	Management Level
EC2	Full control, long-running applications	High
Lambda	Event-driven, variable workloads	Low
ECS	Containerized applications, AWS-native	Medium
EKS	Kubernetes expertise, portability	Medium-High
Elastic Beanstalk	Rapid application deployment	Low

Exam tip: Focus on matching business requirements to the most cost-effective and operationally efficient service. Serverless (Lambda, Fargate) is preferred when traffic is variable; reserved capacity is preferred for predictable, constant workloads.

AWS Storage Services

Overview: AWS provides multiple storage services designed for different use cases, access patterns, and performance requirements. Understanding when to use each service is critical for the Solutions Architect exam.

Core Storage Services

Amazon S3 (Simple Storage Service) is object storage for any amount of data. Key characteristics include:

• 11 nines of durability (99.999999999%) across multiple AZs
• Unlimited scalability with no provisioning required
• Access via HTTP/HTTPS REST API
• Object size range: 0 bytes to 5 TB per object
• Versioning, lifecycle policies, and cross-region replication supported
• Use cases: backups, data lakes, static websites, archives

Amazon EBS (Elastic Block Store) provides block storage for EC2 instances:

• Persistent storage independent of instance lifecycle
• Volume types: gp3 (general purpose, recommended), gp2, io1/io2 (high IOPS), st1/sc1 (throughput/cold)
• Max volume size: 64 TiB
• Snapshots enable point-in-time backups to S3
• Can be encrypted at rest and in transit
• Use cases: databases, applications, OS volumes

Amazon EFS (Elastic File System) is managed NFS for multiple EC2 instances:

• Shared access across multiple instances simultaneously
• Automatic scaling with no capacity planning
• Supports on-premises access via AWS Direct Connect
• Performance modes: General Purpose (default), Max IO
• Use cases: shared file systems, content repositories, home directories

AWS Storage Gateway bridges on-premises environments with cloud storage:

• File Gateway: NFS/SMB interface to S3
• Volume Gateway: block storage backed by S3 snapshots
• Tape Gateway: virtual tape library for archival

Storage Service Comparison Table

Service	Type	Access Pattern	Multi-Instance	Best For
S3	Object	HTTP/REST	Yes	Data lakes, backups, archives
EBS	Block	Direct attach	No	Databases, single instance
EFS	File	NFS/SMB	Yes	Shared file systems
Glacier	Object Archive	HTTP/REST	Yes	Long-term archival

Key Exam Facts: EBS is block storage for single instances; EFS is file storage for multiple instances; S3 is object storage for any workload. Remember that EBS snapshots are stored in S3 but managed automatically. Always consider durability requirements, access patterns, and cost when selecting storage services.

AWS Networking & Security - Study Guide

Core Networking Services: AWS networking centers on VPC (Virtual Private Cloud), which provides isolated network environments. Each AWS account gets a default VPC, but custom VPCs allow granular control over IP ranges, subnets, routing, and security.

VPC Architecture Essentials

A VPC spans a region and contains subnets across multiple Availability Zones. Public subnets route traffic to Internet Gateways, while private subnets typically route through NAT Gateways. Each subnet requires a route table defining traffic rules.

Component	Purpose	Key Detail
Internet Gateway	Enable internet access	One per VPC; attached to enable public routing
NAT Gateway	Private subnet internet access	Requires Elastic IP; placed in public subnet
Route Table	Define traffic paths	Associated with subnets; controls routing decisions
Network ACL	Subnet-level filtering	Stateless; explicit allow/deny rules

Security Groups vs Network ACLs

Security Groups: Instance-level, stateful firewalls. Allow rules by default (deny all inbound). Support allow rules only. Applied to ENIs (Elastic Network Interfaces). Changes take effect immediately.

Network ACLs: Subnet-level, stateless firewalls. Default allows all traffic. Support both allow and deny rules. Evaluated in order; first match wins. Numbered rules (100, 110, etc.). Used for broader subnet protections.

Connectivity Options

• VPN: Encrypted site-to-site connection; customer gateway on-premises, virtual private gateway in AWS
• Direct Connect: Dedicated network connection; consistent bandwidth; lower latency; private connectivity
• VPC Peering: Connect VPCs privately; non-transitive; requires route table updates
• Transit Gateway: Centralized hub for multi-VPC/on-premises connectivity; simplifies complex networks
• CloudFront: CDN for content delivery; edge locations globally; DDoS protection included

DNS & Load Balancing

Route 53: Managed DNS service supporting simple, weighted, latency-based, failover, geolocation, and multi-value routing policies. Health checks enable automatic failover.

Load Balancers: ALB (Application Layer 7), NLB (Network Layer 4, ultra-high performance), CLB (legacy). Target groups distribute traffic; health checks determine instance status.

Encryption & Compliance

Use KMS (Key Management Service) for encryption keys. TLS/SSL secures data in transit. Enable VPC Flow Logs to monitor network traffic. AWS CloudTrail audits API calls. Implement least-privilege IAM policies. Enable S3 Block Public Access for data protection.

Exam Tip: Understand when to use Security Groups (instance protection) versus NACLs (subnet protection). Remember NAT Gateways are stateful; Network ACLs are not.

AWS Databases & Architecture

Core Database Services Overview

AWS provides managed database services across relational (SQL) and non-relational (NoSQL) categories. Understanding when to use each service is critical for the Solutions Architect exam.

Relational Databases (RDS)

• RDS manages MySQL, PostgreSQL, MariaDB, Oracle, and SQL Server with automated backups, patching, and multi-AZ failover
• Multi-AZ deployment provides synchronous replication to a standby instance in a different AZ for high availability
• Read replicas scale read capacity across regions or within a region; replicas can be promoted to standalone databases
• Automated backups retained for 1-35 days; manual snapshots persist until deleted
• RDS Proxy reduces database connection overhead and improves application resilience

Non-Relational Databases

• DynamoDB is a fully managed NoSQL key-value and document database with millisecond latency; scales infinitely with on-demand or provisioned capacity
• DynamoDB uses partition keys and optional sort keys; Global Tables enable multi-region active-active replication
• MongoDB (DocumentDB) provides MongoDB-compatible API with automatic scaling and point-in-time recovery
• ElastiCache (Redis/Memcached) caches frequently accessed data in-memory; reduces RDS load and improves application performance

Specialized Databases

• Redshift is a data warehouse for OLAP (Online Analytical Processing) workloads; clusters scale horizontally
• Neptune handles graph databases for relationships and connections
• Elasticsearch Service enables full-text search and log analytics

Key Architecture Decisions

Scenario	Recommended Service
Structured data, ACID compliance, complex queries	RDS (Multi-AZ for HA)
High-velocity reads/writes, flexible schema	DynamoDB
Session storage, cache layer	ElastiCache
Historical data analysis, large datasets	Redshift
Real-time search capabilities	Elasticsearch

High Availability & Disaster Recovery

• Multi-AZ RDS provides automatic failover within 60-120 seconds
• Read replicas enable manual failover and regional distribution
• DynamoDB Global Tables support RPO of near-zero and RTO of seconds
• Database snapshots are region-specific; copy snapshots across regions for disaster recovery

Performance & Scaling

• RDS uses Aurora for auto-scaling read replicas and up to 15 read replicas per instance
• DynamoDB auto-scaling adjusts provisioned capacity based on demand metrics
• Connection pooling via RDS Proxy reduces application overhead and connection limits