AWS Route 53

July 23, 2022 ~ Last updated on : June 15, 2026 ~ jayendrapatil ~ 21 Comments

AWS Route 53

Route 53 is a highly available and scalable Domain Name System (DNS) web service.

Route 53 provides three main functions:
- Domain registration
  - allows domain names registration
  - supports registration and management of 34+ new top-level domains (TLDs) including .app, .dev, .art, .forum, .health, and .realty
- Domain Name System (DNS) service
  - translates friendly domains names like www.example.com into IP addresses like 192.0.2.1
  - responds to DNS queries using a global network of authoritative DNS servers, which reduces latency
  - can route Internet traffic to CloudFront, Elastic Beanstalk, ELB, or S3. There’s no charge for DNS queries to these resources
- Health Checking
  - can monitor the health of resources such as web and email servers.
  - sends automated requests over the Internet to the application to verify that it’s reachable, available, and functional
  - CloudWatch alarms can be configured for the health checks to send notifications when a resource becomes unavailable.
  - can be configured to route Internet traffic away from resources that are unavailable
- Security
  - supports both DNSSEC for domain registration and DNSSEC signing
  - supports AWS PrivateLink for API requests, allowing workloads to manage DNS infrastructure without using the public internet (announced Nov 2025)

Supported DNS Resource Record Types

A (Address) Format
- is an IPv4 address in dotted decimal notation for e.g. 192.0.2.1
AAAA Format
- is an IPv6 address in colon-separated hexadecimal format

CNAME Format
- is the same format as a domain name
- DNS protocol does not allow creation of a CNAME record for the top node of a DNS namespace, also known as the zone apex for e.g. the DNS name example.com registration, the zone apex is example.com, a CNAME record for example.com cannot be created, but CNAME records can be created for www.example.com, newproduct.example.com etc.
- If a CNAME record is created for a subdomain, any other resource record sets for that subdomain cannot be created for e.g. if a CNAME created for www.example.com, no other resource record sets for which the value of the Name field is www.example.com can be created

MX (Mail Xchange) Format
- contains a decimal number that represents the priority of the MX record, and the domain name of an email server
NS (Name Server) Format
- An NS record identifies the name servers for the hosted zone. The value for an NS record is the domain name of a name server.
PTR Format
- A PTR record Value element is the same format as a domain name.

SOA (Start of Authority) Format
- SOA record provides information about a domain and the corresponding Amazon Route 53 hosted zone
SPF (Sender Policy Framework) Format
- SPF records were formerly used to verify the identity of the sender of email messages, however is not recommended
- Instead of an SPF record, a TXT record that contains the applicable value is recommended
SRV Format
- An SRV record Value element consists of four space-separated values. The first three values are decimal numbers representing priority, weight, and port. The fourth value is a domain name for e.g. 10 5 80 hostname.example.com
TXT (Text) Format
- A TXT record contains a space-separated list of double-quoted strings. A single string include a maximum of 255 characters. In addition to the characters that are permitted unescaped in domain names, space is allowed in TXT strings

HTTPS Format (New – Oct 2024)
- HTTPS records are specific for use with the HTTP protocol and allow application owners to bind endpoint-specific information into the DNS reply.
- Enables clients to discover the optimal HTTP protocol version (HTTP/2, HTTP/3) during the initial DNS resolution phase rather than in a subsequent connection step, reducing latency.
- Supports two modes: AliasMode (aliases a DNS name to another DNS name) and ServiceMode (passes parameters like ALPN, port, ECH, and IP hints).
- Supported for both public and private hosted zones.
SVCB (Service Binding) Format (New – Oct 2024)
- SVCB records allow application owners to bind endpoint-specific information for any service, irrespective of protocol.
- Similar to HTTPS records but the record name includes the port and protocol.
- Supports AliasMode and ServiceMode with parameters like TLS ALPN, port number, ECH configuration, and IP hints.
- Supported for both public and private hosted zones.
TLSA Format (New – Oct 2024)
- TLSA records allow administrators to specify a public key fingerprint of the TLS certificate in DNS (DNS-based Authentication of Named Entities – DANE).
- Enables a TLS client to verify using DNS that the certificate presented by a server is expected.
- Helps prevent man-in-the-middle attacks and downgrade attacks, particularly useful for SMTP over TLS.
- Requires DNSSEC to be enabled on the hosted zone.
- Supported only for public hosted zones.

SSHFP (Secure Shell Fingerprint) Format (New – Oct 2024)
- SSHFP records allow DNS servers to answer SSH client requests for SSH fingerprints with DNSSEC-signed records.
- SSH client validates the fingerprint a server presents with those provided by the DNS server, mitigating man-in-the-middle attacks.
- Requires DNSSEC to be enabled on the hosted zone and DNSSEC validation on the client.
- Supported only for public hosted zones.

Alias Resource Record Sets

Route 53 supports alias resource record sets, which enables routing of queries to a CloudFront distribution, Elastic Beanstalk, ELB, an S3 bucket configured as a static website, or another Route 53 resource record set
Alias records are not standard for DNS RFC and are a Route 53 extension to DNS functionality

Alias record is similar to a CNAME record and is always of type A or AAAA
Alias record can be created both for the root domain or apex zone, such as example.com, and for subdomains, such as www.example.com. CNAME records can be used only for subdomains.
Route 53 automatically recognizes changes in the resource record sets that the alias resource record set refers to for e.g. for a site pointing to a load balancer, if the IP of the load balancer changes, it will reflect those changes automatically in the DNS answers without any changes to the hosted zone that contains resource record sets

Alias resource record set does not support TTL or Time to Live if it points to a CloudFront distribution, an ELB, or an S3 bucket. Underlying CloudFront, load balancer, or S3 TTLs are used.
Alias records are free to query and do not incur any charges.
Alias record supported targets
- Elastic Load Balancers
- CloudFront distributions
- API Gateway
- Elastic Beanstalk
- S3 Website
- Global Accelerator
- VPC Interface Endpoints
- Route 53 record in the same hosted zone

Alias records are not supported for
- EC2 DNS
- RDS endpoints.

Route 53 Alias vs CNAME

Refer to blog post @ Route 53 Alias vs CNAME

Route 53 Hosted Zone

Hosted Zone is a container for records, which include information about how to route traffic for a domain (such as example.com) and all of its subdomains (such as www.example.com, retail.example.com, and seattle.accounting.example.com).

A hosted zone has the same name as the corresponding domain.
Routing Traffic to the Resources
- Create a hosted zone with either a public hosted zone or a private hosted zone:
  - Public Hosted Zone – for routing internet traffic to the resources for a specific domain and its subdomains
  - Private hosted zone – for routing traffic within a VPC
- Create records in the hosted zone
  - Records define where to route traffic for each domain name or subdomain name.
  - Name of each record in a hosted zone must end with the name of the hosted zone.
For public/private and private Hosted Zones that have overlapping namespaces, Route 53 Resolvers routes traffic to the most specific match.

IAM permissions apply only at the Hosted Zone level
Accelerated Recovery (New – Nov 2025)
- Accelerated recovery for public hosted zones targets a 60-minute Recovery Time Objective (RTO) for DNS record changes during service disruptions in the US East (N. Virginia) Region.
- Provides built-in failover of the Route 53 control plane to the Oregon Region (us-west-2).
- When enabled, allows making changes to DNS records in public hosted zones even when the us-east-1 Region is unavailable.
- Enhances business continuity for mission-critical applications that rely on DNS changes for failover.

Route 53 Health Checks

Route 53 health checks monitor the health and performance of the underlying resources.

Health check types
- Health checks that monitor an endpoint, such as a web server.
  - Health checkers are located in locations around the world.
  - The health checker location and interval can be specified.
  - Health checker evaluates the health of the endpoint based
    - Response time
    - Specified failure threshold – Whether the endpoint responds to a number of consecutive health checks
  - The endpoint is considered healthy if more than 18% of health checkers report that an endpoint is healthy.
  - Health check is considered healthy if
    - HTTP and HTTPS health checks
      - TCP connection can be established within four seconds.
      - Returns 2xx or 3xx within two seconds after connecting.
    - TCP health checks
      - TCP connection can be established within ten seconds.
    - HTTP and HTTPS health checks with string matching
      - TCP connection can be established within four seconds.
      - Returns 2xx or 3xx within two seconds after connecting.
      - Route 53 searches the response body for the specified string which must appear entirely in the first 5,120 bytes of the response body or the endpoint fails the health check.
- Calculated health checks – Health checks that monitor the status of other health checks.
  - Health check that does the monitoring is the parent health check, and the health checks that are monitored are child health checks.
  - One parent health check can monitor the health of up to 255 child health checks
- Health checks that monitor the status of a CloudWatch alarm.
  - Route 53 monitors the data stream for the corresponding alarm instead of monitoring the alarm state.

Route 53 checks the health of an endpoint by sending an HTTP, HTTPS, or TCP request to the specified IP address and port.
For a health check to succeed, the router and firewall rules must allow inbound traffic from the IP addresses that the health checkers use.

Route 53 Routing Policies

Refer Blog post @ Route 53 Routing Policies

Route 53 Resolver

Refer Blog post @ Route 53 Resolver

Route 53 Global Resolver (New – GA March 2026)

Route 53 Global Resolver is an internet-reachable anycast DNS resolver that delivers easy, secure, and reliable DNS resolution for authorized clients from anywhere.

Provides DNS resolution for authenticated clients in on-premises data centers, branch offices, and remote locations through globally distributed anycast IP addresses.
Resolves both public internet domains and Route 53 private hosted zones, eliminating the need for separate split-DNS forwarding infrastructure.
Supports multiple DNS protocols including DNS over UDP (Do53), DNS-over-HTTPS (DoH), and DNS-over-TLS (DoT).

Includes built-in security controls:
- DNS traffic filtering to block potentially malicious domains
- Support for encrypted DNS queries
- Centralized logging for auditing and compliance
- Integration with Route 53 Resolver DNS Firewall rules (threat categories, content categories, and advanced DNS threat protection)
Anycast architecture automatically routes each query to the closest healthy AWS Region, providing built-in failover without client-side changes.

Deployed across multiple AWS Regions simultaneously (minimum two).
Supports adding and removing AWS Regions for flexible control over where DNS queries are resolved.
Available across 30+ AWS Regions with support for both IPv4 and IPv6 DNS query traffic.

Route 53 Profiles (New – April 2024)

Route 53 Profiles allows defining a standard DNS configuration and applying it to multiple VPCs in the same AWS Region.

A Profile can include:
- Route 53 private hosted zone (PHZ) associations
- Route 53 Resolver forwarding rules
- Route 53 Resolver DNS Firewall rule groups
- VPC endpoint associations
Profiles can be shared across AWS accounts using AWS Resource Access Manager (RAM).
Eliminates the need for per-VPC PHZ associations by allowing DNS configurations to be managed centrally.

Simplifies DNS management in multi-account environments by reducing operational complexity.
Supports consistent DNS Query Logging configuration at the Profile level with automatic propagation to all associated VPCs.
Supports granular IAM permissions for resource and VPC associations.
Supports AWS PrivateLink for private access to manage Profiles without going through the public internet.

Route 53 Split-view (Split-horizon) DNS

Route 53 Split-view (Split-horizon) DNS helps access an internal version of the website using the same domain name that is used publicly.
Both a private and public hosted zone can be maintained with the same domain name for split-view DNS.
Ensure that DNS resolution and DNS hostnames are enabled on the source VPC.

DNS queries will respond with answers based on the source of the request.
From within the VPC, answers will come from the private hosted zone, while public queries will return answers from the public hosted zone.

Route 53 DNSSEC

DNSSEC – Domain Name System Security Extensions, a protocol for securing DNS traffic, helps protect a domain from DNS spoofing man-in-the-middle attacks.

DNSSEC works only for public hosted zones.
Route 53 supports DNSSEC signing as well as DNSSEC for domain registration.
With DNSSEC enabled for a domain, the DNS resolver establishes a chain of trust for responses from intermediate resolvers.
The chain of trust begins with the TLD registry for the domain (your domain’s parent zone) and ends with the authoritative name servers at your DNS service provider.

With DNSSEC enabled, Route 53 creates a key-signing key (KSK) using customer managed key in AWS KMS that supports DNSSEC. The customer-managed key must meet the following requirements:
- must be in the US East (N. Virginia) Region
- must be an asymmetric customer managed key with an ECC_NIST_P256 key spec.

Route 53 Resolver DNS Firewall

Route 53 Resolver DNS Firewall provides protection for outbound DNS requests from the VPCs and can monitor and control the domains that the applications can query.

DNS Firewall can filter and regulate outbound DNS traffic for the VPC.
Reusable collections of filtering rules can be created in DNS Firewall rule groups and be associated with the VPC, with the activity monitored in DNS Firewall logs and metrics.
A primary use of DNS Firewall protections is to help prevent DNS exfiltration of the data. DNS exfiltration can happen when a bad actor compromises an application instance in the VPC and then uses DNS lookup to send data out of the VPC to a domain that they control.

DNS Firewall can be configured to
- deny access to the domains that you know to be bad and allow all other queries to pass through OR
- deny access to all domains except for the ones that you explicitly trust.

DNS Firewall is a feature of Route 53 Resolver and doesn’t require any additional Resolver setup to use.
Firewall Manager can be used to centrally configure and manage the DNS Firewall rule group associations for the VPCs across the accounts in an Organization. Firewall Manager automatically adds associations for VPCs that come into the scope of the Firewall Manager DNS Firewall policy.
DNS Firewall Advanced (New – Nov 2024)
- DNS Firewall Advanced provides intelligent, real-time protection against advanced DNS threats.
- Detects DNS tunneling attacks by inspecting DNS payload characteristics including request timestamps, frequency, query string length, and response sizes.
- Identifies Domain Generation Algorithm (DGA) based threats, including dictionary-based DGAs used by attackers to evade detection in malware command-and-control communications.
- Supports threat domain categories (e.g., Malware, Spam, Phishing) for DNS query blocking based on DNS threat types.
- Supports content domain categories (e.g., Adult Content, Gambling, Not-safe-for-work domains) for granular content filtering.
- Works alongside existing DNS Firewall domain list rules for comprehensive defense-in-depth.

Route 53 Application Recovery Controller (ARC)

Route 53 Application Recovery Controller helps manage and coordinate recovery for applications across AWS Regions and Availability Zones.
Zonal Shift
- Zonal shift allows shifting traffic for a supported resource away from an impaired Availability Zone to healthy AZs in the same Region.
- All zonal shifts are temporary and must be set initially to expire within three days (72 hours), but can be updated to set a new expiration.
Zonal Autoshift
- Zonal autoshift allows AWS to automatically shift traffic away from an AZ when AWS detects a potential failure there.
- Operates on the principle of static stability, where the application is pre-scaled across multiple AZs to handle the complete loss of capacity in any single zone.
- Practice runs are initiated to ensure that shifting traffic during an autoshift is safe for the application.
Routing Control
- Routing controls are simple on/off switches that allow failover of traffic from one replica to another.
- Enables highly available data plane operations for multi-Region failover.

Route 53 Logging

DNS Query Logging
- DNS Query logs contain information like
  - Domain or subdomain that was requested
  - Date and time of the request
  - DNS record type (such as A or AAAA)
  - Route 53 edge location that responded to the DNS query
  - DNS response code, such as NoError or ServFail
- Route 53 will send DNS Query logs to CloudWatch Logs.
- DNS Query Logging is only available for public hosted zones. Use Resolver Query logging for private hosted zones.
- Query logs contain only the queries that DNS resolvers forward to Route 53 and do not include the entries cached by DNS resolvers.
Resolver Query Logging
- Resolver Query logging logs the following queries
  - Queries that originate in specified VPCs, as well as the responses to those DNS queries.
  - Queries from on-premises resources that use an inbound Resolver endpoint.
  - Queries that use an outbound Resolver endpoint for recursive DNS resolution.
  - Queries that use Route 53 Resolver DNS Firewall rules to block, allow, or monitor domain lists.
- Resolver query logging logs only unique queries, not queries that Resolver is able to respond to from the cache.
- Resolver query logs include values such as the following:
  - AWS Region where the VPC was created
  - The ID of the VPC that the query originated from
  - The IP address of the instance that the query originated from
  - The instance ID of the resource that the query originated from
  - The date and time that the query was first made
  - The DNS name requested (such as prod.example.com)
  - The DNS record type (such as A or AAAA)
  - The DNS response code, such as NoError or ServFail
  - The DNS response data, such as the IP address that is returned in response to the DNS query
  - A response to a DNS Firewall rule action
- Route 53 will send Resolver Query logs to
  - CloudWatch Logs log group
  - S3
  - Kinesis Data Firehose delivery stream

Route 53 Resolver Endpoints – DNS Delegation (New – June 2025)

Route 53 Resolver endpoints now support DNS delegation for private hosted zones.
Allows delegating the authority for a subdomain from on-premises infrastructure to the Route 53 Resolver cloud service and vice versa.
Uses standard name server (NS) records for delegation, eliminating the need for conditional forwarding rules across the organization.
Simplifies hybrid DNS management by providing a cloud-native experience across namespaces in AWS and on-premises infrastructure.
Supports Resolver endpoints with DNS64 on inbound endpoints and IPv6 forwarding through IGW on outbound endpoints for IPv4/IPv6 hybrid network management.

AWS Certification Exam Practice Questions

What does Amazon Route53 provide?
1. A global Content Delivery Network.
2. None of these.
3. A scalable Domain Name System
4. An SSH endpoint for Amazon EC2.
Does Amazon Route 53 support NS Records?
1. Yes, it supports Name Service records.
2. No
3. It supports only MX records.
4. Yes, it supports Name Server records.
Does Route 53 support MX Records?
1. Yes
2. It supports CNAME records, but not MX records.
3. No
4. Only Primary MX records. Secondary MX records are not supported.
Which of the following statements are true about Amazon Route 53 resource records? Choose 2 answers
1. An Alias record can map one DNS name to another Amazon Route 53 DNS name.
2. A CNAME record can be created for your zone apex.
3. An Amazon Route 53 CNAME record can point to any DNS record hosted anywhere.
4. TTL can be set for an Alias record in Amazon Route 53.
5. An Amazon Route 53 Alias record can point to any DNS record hosted anywhere.
Which statements are true about Amazon Route 53? (Choose 2 answers)
1. Amazon Route 53 is a region-level service
2. You can register your domain name
3. Amazon Route 53 can perform health checks and failovers to a backup site in the event of the primary site failure
4. Amazon Route 53 only supports Latency-based routing
A customer is hosting their company website on a cluster of web servers that are behind a public-facing load balancer. The customer also uses Amazon Route 53 to manage their public DNS. How should the customer configure the DNS zone apex record to point to the load balancer?
1. Create an A record pointing to the IP address of the load balancer
2. Create a CNAME record pointing to the load balancer DNS name.
3. Create a CNAME record aliased to the load balancer DNS name.
4. Create an A record aliased to the load balancer DNS name
A user has configured ELB with three instances. The user wants to achieve High Availability as well as redundancy with ELB. Which of the below mentioned AWS services helps the user achieve this for ELB?
1. Route 53
2. AWS Mechanical Turk
3. Auto Scaling
4. AWS EMR
How can the domain’s zone apex for example “myzoneapexdomain.com” be pointed towards an Elastic Load Balancer?
1. By using an AAAA record
2. By using an A record
3. By using an Amazon Route 53 CNAME record
4. By using an Amazon Route 53 Alias record
You need to create a simple, holistic check for your system’s general availability and uptime. Your system presents itself as an HTTP-speaking API. What is the simplest tool on AWS to achieve this with?
1. Route53 Health Checks (Refer link)
2. CloudWatch Health Checks
3. AWS ELB Health Checks
4. EC2 Health Checks
Your organization’s corporate website must be available on www.acme.com and acme.com. How should you configure Amazon Route 53 to meet this requirement?
1. Configure acme.com with an ALIAS record targeting the ELB. www.acme.com with an ALIAS record targeting the ELB.
2. Configure acme.com with an A record targeting the ELB. www.acme.com with a CNAME record targeting the acme.com record.
3. Configure acme.com with a CNAME record targeting the ELB. www.acme.com with a CNAME record targeting the acme.com record.
4. Configure acme.com using a second ALIAS record with the ELB target. www.acme.com using a PTR record with the acme.com record target.
A company wants to prevent DNS exfiltration from their VPCs. They need to block DNS queries to known malicious domains and detect DNS tunneling attempts. Which Route 53 feature should they use? (New)
1. Route 53 Health Checks with CloudWatch Alarms
2. Route 53 Resolver DNS Firewall with DNS Firewall Advanced
3. Route 53 DNSSEC Signing
4. Route 53 Traffic Flow policies
An organization manages DNS configurations across 200+ VPCs in multiple AWS accounts. They need to standardize private hosted zone associations, Resolver forwarding rules, and DNS Firewall rule groups across all VPCs. Which feature simplifies this? (New)
1. Route 53 Traffic Flow
2. AWS Organizations Service Control Policies
3. Route 53 Profiles
4. Route 53 Resolver Rules shared via RAM individually
A company wants to improve the security of SMTP email between their mail servers. They need DNS to provide TLS certificate fingerprints so sending servers can verify the receiving server’s identity. Which DNS record type should they use? (New)
1. SSHFP record
2. HTTPS record
3. SVCB record
4. TLSA record
A company has remote offices and on-premises data centers that need secure DNS resolution for both public internet domains and Route 53 private hosted zones without deploying Route 53 Resolver endpoints in each location. Which service should they use? (New)
1. Route 53 Resolver with outbound endpoints in every Region
2. A self-managed recursive DNS resolver
3. Route 53 Global Resolver
4. Route 53 Profiles with AWS PrivateLink
A company wants to ensure they can continue making DNS record changes during a regional outage in us-east-1. Which Route 53 feature should they enable? (New)
1. Route 53 Multi-Value Answer routing
2. Route 53 Application Recovery Controller
3. Route 53 Accelerated Recovery for public hosted zones
4. Route 53 Health Checks with Failover routing

Amazon OpenSearch

July 20, 2022 ~ jayendrapatil

Amazon OpenSearch

Amazon OpenSearch Service is a managed service that makes it easy to deploy, operate, and scale OpenSearch clusters in the AWS Cloud.

is the successor to Elasticsearch Service and supports OpenSearch and legacy Elasticsearch OSS.
is a fully open-source search and analytics engine for use cases such as log analytics, real-time application monitoring, and clickstream analysis.

OpenSearch provides
- instance types with numerous configurations of CPU, memory, and storage capacity, including cost-effective Graviton instances
- Up to 3 PB of attached storage
- Cost-effective UltraWarm and cold storage for read-only data
- Integration with AWS IAM, VPC, VPC Security Groups
- Encryption at Rest and in Transit
- Authentication with Cognito, HTTP basic, or SAML authentication for OpenSearch Dashboards
- Index-level, document-level, and field-level security
- Multi-AZ setup with node allocation across two or three AZs in the same AWS Region
- Dedicated master nodes to offload cluster management tasks
- Automated snapshots to back up and restore OpenSearch Service domains
- Integration with CloudWatch for monitoring, CloudTrail for auditing, S3, Kinesis, and DynamoDB for loading streaming data into OpenSearch Service.

OpenSearch Service Domain

An OpenSearch Service domain is synonymous with an OpenSearch cluster.
Domains are clusters with specified settings, instance types, instance counts, and storage resources.
automates common administrative tasks, such as performing backups, monitoring instances and patching software once the domain is running.

uses a blue/green deployment process when updating domains. Blue/green typically refers to the practice of running two production environments, one live and one idle, and switching the two as software changes are made.
All domains configured for multiple AZs have zone awareness enabled to ensure shards are distributed across AZs.

OpenSearch Security

OpenSearch Service domains support encryption at rest through AWS Key Management Service (KMS), node-to-node encryption over TLS, and the ability to require clients to communicate with HTTPS.

supports only symmetric encryption KMS keys, not asymmetric ones.
encrypts all indices, log files, swap files, and automated snapshots.
does not encrypt Manual snapshots and slow & error logs.
can be configured to be accessible with an endpoint within the VPC or a public endpoint accessible to the internet.

Network access for VPC endpoints is controlled by security groups and for public endpoints, access can be granted or restricted by IP address.
supports integration with Cognito, to allow the end-users to log-in to OpenSearch dashboards through enterprise identity providers such as Microsoft Active Directory using SAML 2.0, Cognito User Pools, and more.

OpenSearch Storage Tiers

OpenSearch Service supports three integrated storage tiers, Hot, UltraWarm and Cold.

Hot tier is powered by data nodes which are used for indexing, updating, and providing the fastest access to data.
UltraWarm nodes complement the hot tier by providing a fully managed, low-cost, read-only, warm storage tier for older and less-frequently accessed data.
UltraWarm uses S3 for storage and removes the need to configure a replica for the warm data.

Cold storage is a fully-managed lowest cost storage tier that makes it easy to securely store and analyze the historical logs on-demand.
Cold storage helps fully detach storage from compute when they are not actively performing analysis of their data and keep the data readily available at low cost.

OpenSearch Cross-Cluster Replication

Cross-cluster replication helps automate copying and synchronizing indices from one cluster to another at low latency in the same or different AWS Regions.

Domains participating in cross-cluster replications need to meet the following criteria:
- Participating domains should be on Elasticsearch version 7.10
- Participating domains need to have encryption in transit enabled
- Participating domains need to have Fine-Grained Access Control (FGAC) enabled
- Participating domains versions should adhere to the same rules as rolling version upgrade

Current implementation of cross-cluster replication does not support Ultrawarm or Cold Storage.

AWS Certification Exam Practice Questions

References

Amazon_OpenSearch

AWS ElastiCache Redis vs Memcached

July 15, 2022 ~ Last updated on : June 11, 2026 ~ jayendrapatil

AWS ElastiCache – Valkey vs Redis OSS vs Memcached

🔄 Major Update (2024-2026): Valkey is Now the Recommended Engine

Amazon ElastiCache now supports Valkey as its primary recommended engine alongside Memcached and Redis OSS. Valkey is an open-source fork of Redis OSS 7.2 (BSD licensed), stewarded by the Linux Foundation. AWS recommends Valkey for new workloads due to better performance, lower cost (33% lower Serverless pricing, 20% lower node-based pricing), and active open-source development.

Key changes:

Redis OSS 7.2 is the last fully open-source version of Redis. Redis OSS on ElastiCache is now a maintenance track.
ElastiCache versions 4 and 5 for Redis OSS reached end of standard support on January 31, 2026. Extended Support available through January 31, 2029.

Redis 6 reaches End of Life on January 31, 2027. Migration to Valkey is strongly recommended.
ElastiCache Serverless (GA Nov 2023) provides zero infrastructure management with instant scaling.
Valkey 9.0 (May 2026) introduces full-text search, hybrid search, durability, and aggregation pipelines.

ElastiCache supports the Valkey, Memcached, and Redis OSS cache engines. Each engine provides some advantages.

Memcached

Need the simplest model possible.
Need to run large nodes with multiple cores or threads (multi-threaded architecture).
Need the ability to scale out and in, adding and removing nodes as demand on the system increases and decreases.

Need to cache objects.
Don’t need persistence, replication, or automatic failover.

Valkey (Recommended for New Workloads)

Valkey is a community-driven, open-source (BSD licensed) fork of Redis OSS 7.2, stewarded by the Linux Foundation and backed by AWS, Google, Microsoft, and others. It is a drop-in replacement for Redis OSS with significant performance and cost improvements.

Need complex data types, such as strings, hashes, lists, sets, sorted sets, and bitmaps.
Need to sort or rank in-memory datasets.
Need persistence of the key store.
Need to replicate the data from the primary to one or more read replicas for read-intensive applications.

Need automatic failover if the primary node fails.
Need publish and subscribe (pub/sub) capabilities — to inform clients about events on the server.
Need backup and restore capabilities.
Need to support multiple databases.
Need Encryption at Rest and in Transit.
Need the ability to dynamically add or remove shards from the cluster (cluster mode enabled).
Need to authenticate users with role-based access control (RBAC).
Need geospatial indexing (clustered mode or non-clustered mode).
Need to meet compliance requirements — HIPAA, FedRAMP, PCI-DSS.
Need vector search with microsecond latency and 95%+ recall rate (Valkey 8.2+).

Need built-in full-text search, aggregations, and hybrid search (Valkey 9.0+).
Need hash field expiration for per-field TTLs (Valkey 9.0+).
Need multi-database support in cluster mode (Valkey 9.0+).
Need Bloom filter support (Valkey 8.1+).
Need durability via Multi-AZ transactional log for zero data loss (Valkey 9.0+).
Need up to 20% better memory efficiency through embedded keys (Valkey 8.0+).

Need up to 270% higher throughput and 70% lower latency via I/O multithreading.

Redis OSS (Maintenance Track)

Redis OSS 7.2 is the last fully open-source version. AWS still supports existing Redis OSS workloads but recommends migrating to Valkey for active development and cost benefits. Upgrade from any Redis OSS version to Valkey is supported without downtime.

Need complex data types, such as strings, hashes, lists, sets, sorted sets, and bitmaps.

Need to sort or rank in-memory datasets.
Need persistence of the key store.
Need to replicate the data from the primary to one or more read replicas for read-intensive applications.
Need automatic failover if the primary node fails.
Need publish and subscribe (pub/sub) capabilities — to inform clients about events on the server.
Need backup and restore capabilities.
Need to support multiple databases.
Need Encryption at Rest and in Transit.
Need the ability to dynamically add or remove shards from the Redis (cluster mode enabled) cluster.

Need to authenticate users with role-based access control.
Need geospatial indexing (clustered mode or non-clustered mode).
Need to meet compliance requirements — HIPAA, FedRAMP, PCI-DSS.

ElastiCache Serverless

ElastiCache Serverless (GA November 2023) is a serverless option that eliminates the need for capacity planning and infrastructure management. It is available for Valkey, Memcached, and Redis OSS engines.

Zero infrastructure management — no nodes to provision, patch, or monitor.
Zero downtime maintenance — all updates applied automatically without disruption.

Instant scaling — automatically scales compute, memory, and network to meet demand.
Pay-per-use pricing — pay based on data stored and requests executed.
Create a cache in under a minute by just providing a name.

Scales to 5 million requests per second (RPS) per cache (Valkey 8.0+).
Supports IPv6 and dual-stack connectivity.
Multi-AZ by default with up to 99.99% availability SLA.
Supports backup and restore for Memcached serverless caches.

Valkey Version Highlights

Version	Key Features
Valkey 9.0 (May 2026)	Full-text search, hybrid search (text + vector), aggregation pipelines, hash field expiration, multi-database in cluster mode, polygon-based geospatial queries, 40% higher throughput with pipelining, durability via Multi-AZ transactional log
Valkey 8.2	Native vector search with microsecond latency and 95%+ recall rate
Valkey 8.1 (March 2025)	Memory-efficient hash table (20% memory reduction), Bloom filters, COMMANDLOG, 514% higher BITCOUNT throughput
Valkey 8.0 (Nov 2024)	20% better memory efficiency, per-slot metrics, dual-channel replication, async I/O threading, Serverless scales to 5M RPS
Valkey 7.2 (Oct 2024)	Initial Valkey release, drop-in replacement for Redis OSS 7.2, Functions, Sharded Pub/Sub, ACL improvements

Comparison Table: Valkey/Redis OSS vs Memcached

Feature	Memcached	Valkey / Redis OSS
Data types	Simple (strings, objects)	Complex (strings, hashes, lists, sets, sorted sets, bitmaps, HyperLogLog, geospatial, streams)
Multi-threaded	Yes	No (but I/O multithreading in Valkey)
Data partitioning	Yes	Yes (cluster mode)
Replication	No	Yes
Automatic failover	No	Yes
Pub/Sub	No	Yes
Backup & Restore	Serverless only	Yes
Encryption	In-transit (1.6.12+)	At-rest and in-transit
Geospatial indexing	No	Yes
Vector search	No	Yes (Valkey 8.2+)
Full-text search	No	Yes (Valkey 9.0+)
Durability	No	Yes (Valkey 9.0+ cluster mode)
Bloom filters	No	Yes (Valkey 8.1+)
Compliance (HIPAA, FedRAMP, PCI)	Yes (1.6.12+)	Yes

AWS Certification Exam Practice Questions

A company wants to implement best practices on AWS. Which implementation would help eliminate “Single Point of failure”?
1. ElastiCache Memcached deployment
2. RDS Single-AZ deployment
3. EC2 instances on a single AZ
4. ElastiCache Redis/Valkey deployment
You are launching your first ElastiCache cache cluster, and start using Memcached. Which of the following is NOT a key feature of Memcached?
1. You need the ability to scale your Cache horizontally as you grow.
2. You use more advanced data types, such as lists, hashes, and sets.
3. You need a simple caching model as possible.
4. Object caching is your primary goal to offload your database.

A development team is evaluating cache engines for a new application that requires vector similarity search for AI-powered recommendations. Which ElastiCache option would be MOST appropriate?
1. ElastiCache for Memcached
2. ElastiCache for Redis OSS 6.x
3. ElastiCache for Valkey 8.2 or later
4. ElastiCache for Redis OSS 7.0
A company wants to deploy an in-memory cache with zero infrastructure management and automatic scaling. They do not want to provision or manage any nodes. Which ElastiCache deployment option should they choose?
1. ElastiCache node-based cluster with Auto Scaling
2. ElastiCache Serverless
3. ElastiCache with CloudWatch alarms for manual scaling
4. ElastiCache Global Datastore
A company is running ElastiCache for Redis OSS version 5. They received a notification that standard support ends January 31, 2026. What is the recommended migration path?
1. Upgrade to Redis OSS 7.2
2. Migrate to ElastiCache for Valkey
3. Move to Amazon MemoryDB
4. Purchase Extended Support indefinitely

Which of the following features is available ONLY with Valkey and NOT with Redis OSS on ElastiCache? (Select TWO)
1. Pub/Sub messaging
2. Built-in full-text search and hybrid search
3. Geospatial indexing
4. Bloom filter support
5. Sorted sets

References

AWS Transfer Family

July 13, 2022 ~ Last updated on : June 17, 2026 ~ jayendrapatil

AWS Transfer Family

AWS Transfer Family is a fully managed file transfer service that enables secure transfer of files into and out of AWS storage services.

AWS Transfer Family supports transferring data from or to Amazon S3 and Amazon EFS.
AWS Transfer Family supports transferring data over the following protocols:
- Secure File Transfer Protocol (SFTP) – version 3
- File Transfer Protocol Secure (FTPS)
- File Transfer Protocol (FTP)
- Applicability Statement 2 (AS2) – for B2B EDI document exchange
- Browser-based transfers – via Transfer Family web apps
Transfer Family provides the following benefits:
- A fully managed service that scales in real-time with elastic compute infrastructure and built-in autoscaling.
- Compatible with existing applications with no need to modify them or run any file transfer protocol infrastructure.
- A fully managed, serverless File Transfer Workflow service that makes it easy to set up, run, automate, and monitor the processing of files.
- Supports connectors for outbound file transfers to remote SFTP and AS2 servers.

Transfer Family supports up to 3 AZs and is backed by an auto-scaling, redundant fleet for connection and transfer requests.
Transfer Family supports multiple identity provider options:
- Service Managed – user identities stored within the service (supported for SFTP-only server endpoints).
- Microsoft Active Directory – integration with AWS Directory Service.
- LDAP – Lightweight Directory Access Protocol integration.
- Custom Identity Providers – modular solution to integrate any identity provider with granular per-user controls, separating authentication logic from session configuration.
Transfer Family supports Amazon S3 Access Points for granular access to shared datasets.
For FTP and FTPS data connections, the port range used for the data channel is 8192–8200.

Endpoint Types

Transfer Family supports the following endpoint types:
- Public – publicly accessible endpoint that listens for traffic over port 22 (SFTP only).
- VPC – endpoint hosted within a VPC for greater control over access.
  - Can be configured as Internet Facing with Elastic IP addresses attached.
  - Can be configured as Internal for private access only within the VPC.
  - Supports Security Groups for source IP filtering.
  - Supports shared VPC environments.
  - Required for FTPS and FTP protocols.
FIPS-enabled endpoints are available for compliance requirements.

AS2 Protocol Support

Applicability Statement 2 (AS2) is a business-to-business (B2B) messaging protocol used to exchange Electronic Data Interchange (EDI) documents.

Transfer Family AS2 capabilities enable secure exchange of AS2 messages at scale while maintaining compliance and interoperability with trading partners.
AS2 provides data protection through encryption and peer authentication via digital certificates.
Key AS2 components:
- Agreements – Bilateral trading partner agreements that define the relationship between two parties exchanging messages. Combines server, local profile, partner profile, and certificate information.
- Profiles – Local and partner profiles that identify the sender and receiver.
- Certificates – Used for encryption and signing of AS2 messages.
- Connectors – Required for sending files to an externally hosted AS2 server.
AS2 messages are sent and received over HTTPS.
Integrates with AWS B2B Data Interchange for EDI document transformation and generation.

SFTP Connectors

SFTP connectors provide fully managed functionality to transfer files between remote SFTP servers and Amazon S3.

SFTP connectors can send files from Amazon S3 to an external partner-owned SFTP server and retrieve files from a partner’s SFTP server.
SFTP connectors authenticate to remote servers using credentials stored in AWS Secrets Manager.
SFTP connectors support two egress types:
- Service Managed – uses AWS managed infrastructure for routing.
- VPC (VPC_LATTICE) – routes traffic through your VPC using Amazon VPC Lattice, enabling connections to:
  - Private SFTP servers accessible only within a VPC.
  - Servers in shared VPCs.
  - On-premises systems connected over AWS Direct Connect.
  - Partner-hosted servers connected through VPN tunnels.
SFTP connectors support PGP encryption for encrypting/decrypting files before sending to remote partners.
SFTP connectors can list files stored on remote SFTP servers, enabling file retrieval workflows when file names are not known in advance.

Transfer Family Web Apps

Transfer Family web apps provide a no-code, fully managed browser-based experience for secure file transfers to and from Amazon S3.
Web apps enable authenticated users to perform file operations including listing, uploading, downloading, and deleting files through a web browser.
Web apps are integrated with AWS IAM Identity Center and Amazon S3 Access Grants, enabling fine-grained access controls that map corporate identities directly to S3 datasets.

Web apps are customizable to reflect company branding.
Supports HIPAA eligibility, PCI, and other compliance certifications.
One web app unit can provide up to 250 unique sessions per 5-minute period. Multiple units can be provisioned based on peak workload volumes.
Deployable with a few clicks in the Transfer Family console, generating a shareable URL.

Managed Workflows (MFTW)

Managed File Transfer Workflows (MFTW) is a fully managed, serverless workflow service that automates processing of uploaded files.

MFTW can automate processing steps such as:
- Copying and tagging
- Scanning and filtering
- Compressing/decompressing
- Encrypting/decrypting
- Custom processing via Lambda functions
MFTW provides end-to-end visibility for tracking and auditability.
Workflows are triggered automatically in response to file uploads.
Supports both nominal (success) and exception handling steps.

Security and Encryption

Transfer Family supports encryption at rest using:
- AWS KMS (Key Management Service) managed keys
- Amazon S3 server-side encryption (SSE-S3)
- Customer Managed Keys with Amazon EFS
Encryption in transit via SSH (SFTP), TLS (FTPS, AS2), and HTTPS (web apps).

Supports TLS 1.2 for secure communication.
IAM policies control access to S3 buckets and EFS file systems.
CloudTrail provides granular auditing of user and API activity.
Security Groups and Network ACLs control network-level access for VPC endpoints.

Monitoring and Logging

Transfer Family supports two logging mechanisms for CloudWatch:
- JSON Structured Logging (Recommended) – provides comprehensive, queryable log format with detailed activity types (AUTH_FAILURE, CONNECTED, DISCONNECTED, ERROR, OPEN, CLOSE, DELETE, MKDIR, RENAME, etc.).
- Logging via a Logging Role – legacy logging mechanism.
CloudWatch metrics track server performance and transfer activity.
CloudWatch alarms can trigger notifications or automated actions based on thresholds.
CloudTrail logging is available for Transfer Family web apps.

AWS Certification Exam Practice Questions

A solutions architect must provide a fully managed replacement for an on-premises solution that allows employees and partners to exchange files. The solution must be easily accessible to employees connecting from on-premises systems, remote employees, and external partners. Which solution meets these requirements?
1. Use AWS Transfer Family for SFTP to transfer files into and out of Amazon S3.
2. Use AWS Snowball Edge for local storage and large-scale data transfers.
3. Use Amazon FSx to store and transfer files to make them available remotely.
4. Use AWS Storage Gateway to create a volume gateway to store and transfer files to Amazon S3.
A company exchanges EDI documents with multiple trading partners. The company needs a fully managed B2B file transfer solution that supports AS2 protocol, provides non-repudiation through message disposition notifications (MDNs), and stores transferred files in Amazon S3. Which AWS service meets these requirements?
1. AWS DataSync with S3 as the destination
2. AWS Transfer Family with AS2 protocol configured
3. Amazon MQ with file transfer broker
4. AWS Storage Gateway File Gateway
A company needs to provide non-technical business users with a simple web interface to upload and download files from Amazon S3 without requiring SFTP clients or AWS Console access. The solution must integrate with the company’s existing corporate directory for authentication. Which approach should a solutions architect recommend?
1. Create a custom web application using S3 pre-signed URLs
2. Use Amazon WorkDocs for file sharing
3. Deploy AWS Transfer Family web apps integrated with AWS IAM Identity Center and S3 Access Grants
4. Use Amazon AppStream 2.0 to stream an S3 browser application
A company needs to automate file transfers between a partner’s SFTP server (accessible only via VPN) and Amazon S3. The partner’s server is not accessible from the public internet. Which solution meets these requirements with the LEAST operational overhead?
1. Deploy an EC2 instance with an SFTP client in the VPC and schedule cron jobs
2. Use AWS DataSync with a private VIF over Direct Connect
3. Use AWS Transfer Family SFTP connectors with VPC-based (VPC_LATTICE) egress type
4. Set up an AWS Lambda function with VPC access to connect to the SFTP server
A company uses AWS Transfer Family for SFTP file transfers. The security team requires detailed, queryable audit logs of all file operations including authentication failures, file opens, deletes, and disconnections. Which logging approach should be configured?
1. Enable CloudTrail data events for the Transfer Family server
2. Configure S3 server access logging on the destination bucket
3. Enable JSON structured logging for the Transfer Family server in CloudWatch
4. Set up VPC Flow Logs on the server endpoint’s network interface

References

AWS DataSync

July 13, 2022 ~ Last updated on : June 17, 2026 ~ jayendrapatil

AWS DataSync

AWS DataSync is an online data movement service that simplifies, automates, and accelerates moving data between on-premises storage, other cloud providers, and AWS Storage services.

DataSync provides end-to-end security, including encryption and integrity validation.
DataSync automates both the management of data-transfer processes and the infrastructure required for high-performance and secure data transfer.
DataSync uses a purpose-built network protocol and a parallel, multi-threaded architecture to accelerate the transfers.

A DataSync agent is a VM or EC2 instance that AWS DataSync uses to read from or write to a storage system. Agents are commonly used when copying data from on-premises storage to AWS.
For transfers between AWS storage services (same or cross-region), no agent is required — data remains within the AWS network.
DataSync transfer is described by a Task and a Task Execution is an individual run of a DataSync task.

A task can be configured for locations (source and destination), schedule and how it treats metadata, deleted files, and permissions.
Task scheduling automatically runs tasks on the configured schedule with hourly, daily, or weekly options.
Each time a task is started it performs an incremental copy, transferring only the changes from the source to the destination.

If a task is interrupted, for instance, if the network connection goes down or the agent is restarted, the next run of the task will transfer missing files, and the data will be complete and consistent at the end of this run.
AWS DataSync can be used with the Direct Connect link to access public service endpoints or private VPC endpoints.
The amount of network bandwidth that AWS DataSync will use can be controlled by configuring the built-in bandwidth throttle.

DataSync supports both IPv4 and IPv6 addresses for connecting with the service and for data transfers with supported data sources.

DataSync Task Modes

DataSync tasks run in one of two modes: Enhanced mode or Basic mode.
Enhanced mode
- Transfers virtually unlimited numbers of files or objects with higher performance than Basic mode.
- Optimizes the data transfer process by listing, preparing, transferring, and verifying data in parallel.
- Supports transfers between Amazon S3 locations, cross-cloud transfers (Azure Blob, Google Cloud Storage, Oracle Cloud Object Storage) without an agent, and transfers between NFS/SMB file servers and Amazon S3 using an Enhanced mode agent.
- Not subject to the same file/object count quotas as Basic mode.
Basic mode
- Transfers files or objects between AWS storage and all other supported DataSync locations.
- Subject to quotas on the number of files, objects, and directories in a dataset.
- Sequentially prepares, transfers, and verifies data, making it slower than Enhanced mode for most workloads.

DataSync Supported Locations

Network File System (NFS) file servers
Server Message Block (SMB) file servers
Hadoop Distributed File System (HDFS)
Object storage systems
Amazon S3 (including S3 on Outposts)
Amazon EFS file systems
Amazon FSx for Windows File Server file systems
Amazon FSx for Lustre file systems
Amazon FSx for OpenZFS file systems
Amazon FSx for NetApp ONTAP file systems
Microsoft Azure Blob Storage
Google Cloud Storage
Oracle Cloud Object Storage
Other S3-compatible cloud storage (Wasabi, DigitalOcean Spaces, etc.)

⚠️ Note: AWS Snowcone devices were discontinued effective November 12, 2024. DataSync on Snowcone is no longer available for new orders. Existing customers had support until November 12, 2025. Use DataSync online transfers or AWS Data Transfer Terminal as alternatives.

Cross-Cloud Transfers

DataSync Enhanced mode supports agentless cross-cloud transfers, enabling direct data movement between other cloud providers and Amazon S3 without deploying a DataSync agent.
Supported cross-cloud sources include Microsoft Azure Blob Storage, Google Cloud Storage, Oracle Cloud Object Storage, and other S3-compatible storage services.
Cross-cloud transfers provide higher performance and scalability compared to agent-based Basic mode transfers.

Simplifies multi-cloud data migration and data pipeline workflows.

DataSync Manifests

DataSync supports manifests, enabling users to provide a definitive list of source files or objects to be transferred by a task.
Using manifests, task execution times can be decreased by specifying only the files or objects that need to be processed.
The maximum allowable size for a manifest file with Enhanced mode tasks is 20 GB.

Useful for scenarios with hundreds of millions of objects where only a specific subset needs to be transferred.

DataSync Task Reports

Task reports provide detailed JSON-formatted output files about what DataSync attempts to transfer, skip, verify, and delete during a task execution.
Reports include a summary and detailed reports for files transferred, skipped, verified, and deleted.

Task reports are generated after the completion of transfer tasks and stored in an Amazon S3 bucket.
Useful for tracking and auditing data transfers, monitoring chain of custody, and troubleshooting transfer errors.

DataSync Security Features

DataSync integrates with AWS Secrets Manager for credential management across all location types, including HDFS, Amazon FSx for Windows File Server, and Amazon FSx for NetApp ONTAP.

Supports VPC endpoint policies for fine-grained access control and FIPS-enabled VPC endpoints in FIPS-enabled AWS Regions.
Data is encrypted in transit using TLS.
Supports Kerberos authentication for enhanced SMB file transfer security.
Location configurations can be updated without recreating locations, simplifying credential rotation and maintenance.

DataSync Agents

An agent is required for transfers between on-premises storage and AWS.

No agent is needed for transfers between AWS storage services (same or cross-region) — data remains in the AWS network.
Enhanced mode supports agentless cross-cloud transfers (Azure Blob, Google Cloud Storage, Oracle Cloud Object Storage to Amazon S3).
Enhanced mode agents are available for on-premises NFS/SMB to Amazon S3 transfers with improved performance.

Version 1 DataSync agents were discontinued on December 7, 2023 — affected agents must be replaced.

ℹ️ Note: DataSync Discovery was discontinued on May 20, 2025 and is no longer available as a DataSync feature.

AWS Certification Exam Practice Questions

A company is migrating its applications to AWS. Currently, applications that run on-premises generate hundreds of terabytes of data that is stored on a shared file system. The company is running an analytics application in the cloud that runs hourly to generate insights from this data. The company needs a solution to handle the ongoing data transfer between the on-premises shared file system and Amazon S3. The solution also must be able to handle occasional interruptions in internet connectivity. Which solutions should the company use for the data transfer to meet these requirements?
1. AWS DataSync
2. AWS Migration Hub
3. AWS Snowball Edge Storage Optimized
4. AWS Transfer for SFTP

A company needs to transfer 500 million objects from Google Cloud Storage to Amazon S3 with minimal operational overhead. The transfer should be completed as fast as possible without deploying any infrastructure. Which approach best meets these requirements?
1. Deploy a DataSync agent on a Google Cloud VM and use Basic mode tasks
2. Use DataSync Enhanced mode with agentless cross-cloud transfer directly from Google Cloud Storage to Amazon S3
3. Use AWS Transfer Family with SFTP to pull data from Google Cloud Storage
4. Use S3 Batch Operations to copy from Google Cloud Storage
A company uses AWS DataSync to replicate data between Amazon S3 buckets in different AWS Regions. The dataset contains over 100 million objects and the company needs improved transfer performance and scalability. Which DataSync configuration should be used?
1. Use Basic mode with multiple parallel tasks
2. Deploy a DataSync agent in each Region
3. Use Enhanced mode for the S3-to-S3 transfer task
4. Enable S3 Transfer Acceleration on both buckets

An organization needs to transfer only a specific set of 10,000 files from an on-premises NFS server containing millions of files to Amazon S3. They want to minimize the time spent scanning the source. Which DataSync feature should they use?
1. Task filtering with include patterns
2. DataSync manifests to specify the exact list of files to transfer
3. Schedule the task during off-peak hours
4. Use Enhanced mode with no manifest
A security team requires detailed audit reports of all files transferred, skipped, and deleted during a DataSync task execution for compliance purposes. Which DataSync feature provides this capability?
1. CloudWatch Logs integration
2. AWS CloudTrail data events
3. DataSync task reports
4. Amazon S3 server access logs

References

AWS CloudFront vs Global Accelerator

July 12, 2022 ~ Last updated on : June 17, 2026 ~ jayendrapatil

AWS CloudFront vs Global Accelerator

Global Accelerator and CloudFront both use the AWS global network and its edge locations around the world.

Both services integrate with AWS Shield for DDoS protection.
Both services operate from AWS edge locations (Points of Presence), but with different scale:
- CloudFront uses 750+ PoPs in 100+ cities across 50+ countries, plus 1,140+ Embedded PoPs in 300+ cities.
- Global Accelerator uses 130 PoPs in 95 cities across 53 countries.
Performance
- CloudFront improves performance for both cacheable content (such as images and videos) and dynamic content (such as API acceleration and dynamic site delivery).
- Global Accelerator improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions.
Use Cases
- CloudFront is a good fit for HTTP use cases, including web content delivery, API acceleration, video streaming, and serverless edge compute.
- Global Accelerator is a good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or VoIP, as well as for HTTP use cases that require static IP addresses or deterministic, fast regional failover.
Caching
- CloudFront supports Edge caching with Regional Edge Caches (RECs) and Origin Shield for optimized cache-hit ratios.
- Global Accelerator does not support Edge Caching. It routes traffic over the AWS backbone to the optimal regional endpoint.
Static IP Addresses
- CloudFront now supports Anycast Static IPs (launched Nov 2024), providing a dedicated set of static IP addresses for allowlisting, zero-rating, and apex domain support.
- Global Accelerator provides two static anycast IPv4 addresses (and optionally two IPv6 addresses with dual-stack) per accelerator, serviced by independent network zones for fault tolerance.
Protocol Support
- CloudFront supports HTTP and HTTPS (with TLSv1.3), WebSocket, and gRPC.
- Global Accelerator supports TCP and UDP at the transport layer, enabling broader protocol coverage including non-HTTP workloads.
Failover
- CloudFront supports origin failover for GET and HEAD requests using origin groups with primary and secondary origins.
- Global Accelerator provides instant, deterministic failover across AWS Regions based on continuous health monitoring (TCP, HTTP, HTTPS health checks).
Edge Compute
- CloudFront offers edge compute via CloudFront Functions (lightweight, sub-millisecond execution at all edge locations) and Lambda@Edge (general-purpose serverless compute).
- Global Accelerator does not provide edge compute capabilities.

IP Address Management
- CloudFront supports Bring Your Own IP (BYOIP) through VPC IPAM integration for both IPv4 (/24) and IPv6 (/48) address ranges (launched Nov 2025).
- Global Accelerator supports BYOIP allowing up to two /24 IPv4 address ranges per accelerator.

Security
- CloudFront integrates with AWS WAF, AWS Shield (Standard and Advanced), and supports field-level encryption, signed URLs/cookies, and Origin Access Control (OAC).
- Global Accelerator integrates with AWS Shield (Standard and Advanced) for DDoS protection but does not support WAF integration.

Key Feature Differences (Summary Table)

Feature	CloudFront	Global Accelerator
Type	Content Delivery Network (CDN)	Network layer traffic accelerator
Caching	Yes (Edge + Regional Edge Caches + Origin Shield)	No
Protocols	HTTP, HTTPS, WebSocket, gRPC	TCP, UDP
Static IPs	Yes (Anycast Static IPs – Nov 2024)	Yes (2 IPv4 + 2 IPv6 with dual-stack)
Edge Compute	CloudFront Functions + Lambda@Edge	No
WAF Integration	Yes	No
VPC Origins	Yes (private ALB/NLB/EC2)	No
Custom Routing	No	Yes (deterministic EC2 routing)
Health Checks	Origin failover (GET/HEAD only)	TCP, HTTP, HTTPS (instant regional failover)
Dual-Stack (IPv6)	Yes	Yes (dual-stack accelerators with NLB endpoints)
BYOIP	Yes (via VPC IPAM, IPv4 + IPv6)	Yes (up to two /24 IPv4 ranges)
Kubernetes Integration	No native integration	Yes (AWS Load Balancer Controller CRDs)

Recent Feature Updates (2024-2026)

CloudFront Updates

Anycast Static IPs (Nov 2024) – Dedicated static IP addresses for allowlisting, zero-rating traffic with ISPs, and apex domain support. IPv6 support added Nov 2025.
VPC Origins (Nov 2024) – Connect CloudFront directly to private ALBs, NLBs, or EC2 instances in private subnets without public internet exposure. Cross-account support added Nov 2025.
Embedded Points of Presence (Feb 2024) – PoPs deployed directly within ISP networks for large-scale video streaming and game downloads, with 1,140+ Embedded PoPs in 300+ cities.

Flat-Rate Pricing Plans (Nov 2025) – Bundled CDN, WAF, DDoS protection, bot management, Route 53, CloudWatch Logs, edge compute, and S3 storage into predictable monthly pricing with no overage charges.
Tag-Based Cache Invalidation (May 2026) – Native support to tag cached objects and invalidate by tag directly through the CloudFront API.
BYOIP via VPC IPAM (Nov 2025) – Bring your own IPv4 and IPv6 addresses to CloudFront using IPAM’s BYOIP for global services.

CloudFront KeyValueStore (Nov 2023) – Low-latency global data store for CloudFront Functions enabling dynamic edge decisions without code redeployment.
Simplified Console Experience (Jun 2025) – New user-friendly interface with automated certificate provisioning and DNS configuration.

Global Accelerator Updates

Kubernetes Integration (Jan 2026) – AWS Load Balancer Controller now supports Global Accelerator through declarative Kubernetes CRDs for managing accelerators, listeners, and endpoint groups.

Expanded Region Support – Now supports 33 AWS Regions including Mexico (Central), Asia Pacific (Malaysia, Thailand, Taipei) as of Oct 2025.
Dual-Stack NLB Endpoints (Nov 2023) – IPv6 traffic routing directly to dual-stack NLB endpoints for end-to-end IPv6 connectivity.
Client IP Preservation for NLB (Aug 2023) – Maintains source IP address for packets arriving at NLB endpoints configured behind Global Accelerator.

Dual-Stack NLB Support for Standard Accelerators (Mar 2024) – Adding dual-stack NLBs to standard accelerators.

When to Use Which

Choose CloudFront when:
- Delivering cacheable web content (images, videos, static files)
- Accelerating APIs and dynamic HTTP/HTTPS content
- Needing edge compute (CloudFront Functions or Lambda@Edge)
- Requiring WAF integration for application-layer security
- Serving content from private origins via VPC Origins
- Needing bundled security (WAF + Shield + CDN) with flat-rate pricing

Choose Global Accelerator when:
- Running non-HTTP workloads (gaming/UDP, IoT/MQTT, VoIP)
- Needing deterministic, instant multi-region failover
- Requiring static IP addresses as fixed entry points (since its inception)
- Using custom routing to deterministically route users to specific EC2 instances (e.g., multiplayer gaming matchmaking)
- Needing Kubernetes-native management of global traffic acceleration
- Running multi-region S3 workloads via S3 Multi-Region Access Points

Use both together when:
- Needing CDN caching for web content AND fast failover for backend APIs
- Building multi-tier applications with both HTTP and non-HTTP components

AWS Certification Exam Practice Questions

A company wants to improve the availability and performance of its stateless UDP-based workload. The workload is deployed on Amazon EC2 instances in multiple AWS Regions. What should a solutions architect recommend to accomplish this?
1. Place the EC2 instances behind Network Load Balancers (NLBs) in each Region. Create an accelerator using AWS Global Accelerator. Use the NLBs as endpoints for the accelerator.
2. Place the EC2 instances behind Application Load Balancers (ALBs) in each Region. Create an accelerator using AWS Global Accelerator. Use the ALBs as endpoints for the accelerator.
3. Place the EC2 instances behind Network Load Balancers (NLBs) in each Region. Create a CloudFront distribution with an origin that uses Route 53 latency-based routing to route requests to the NLBs.
4. Place the EC2 instances behind Application Load Balancers (ALBs) in each Region. Create a CloudFront distribution with an origin that uses Route 53 latency-based routing to route requests to the ALBs.
A media company delivers live streaming video to millions of global viewers. They need to reduce buffering during peak events while keeping origin infrastructure costs low. Which AWS service is the best fit?
1. AWS Global Accelerator with NLB endpoints in each Region
2. Amazon CloudFront with Origin Shield enabled and Embedded Points of Presence for large-scale delivery
3. Amazon CloudFront with Global Accelerator as the origin
4. AWS Global Accelerator with custom routing to direct viewers to specific EC2 instances
A gaming company wants to route players to specific EC2 game server instances based on matchmaking logic. The application uses UDP and players are distributed globally. Which solution provides the lowest latency and deterministic routing?
1. Amazon CloudFront with Lambda@Edge for routing logic
2. AWS Global Accelerator with standard routing and NLB endpoints
3. AWS Global Accelerator with custom routing accelerator mapping ports to specific EC2 instances
4. Amazon Route 53 latency-based routing with health checks

A company requires its web application origin servers to remain in private subnets with no public internet access, while still serving global users with low latency. Which solution meets these requirements?
1. AWS Global Accelerator with private NLB endpoints
2. Amazon CloudFront with VPC Origins pointing to private ALB/NLB/EC2 instances
3. Amazon CloudFront with an origin in a public subnet protected by Security Groups
4. AWS Global Accelerator with EC2 instances using Elastic IP addresses
A company needs static IP addresses for their content delivery to satisfy partner allowlisting requirements. Previously this was only available with Global Accelerator. Which CloudFront feature now addresses this requirement?
1. CloudFront Origin Access Control (OAC)
2. CloudFront Anycast Static IPs
3. CloudFront Dedicated IP Custom SSL
4. CloudFront BYOIP via VPC IPAM
A company running a multi-region application on Kubernetes (EKS) wants to add global traffic acceleration with automatic failover. They prefer managing infrastructure declaratively through Kubernetes resources. Which approach is most operationally efficient?
1. Create Global Accelerator manually via AWS Console and add EKS NLB endpoints
2. Use the AWS Load Balancer Controller with Global Accelerator CRDs to declaratively manage accelerators through Kubernetes
3. Use Amazon CloudFront with Route 53 failover routing
4. Use Amazon Route 53 with latency-based routing and health checks

References

AWS Gateway Load Balancer – GWLB

July 9, 2022 ~ Last updated on : September 8, 2022 ~ jayendrapatil

AWS Gateway Load Balancer – GWLB

Gateway Load Balancer helps deploy, scale, and manage virtual appliances, such as firewalls, intrusion detection and prevention systems (IDS/IPS), and deep packet inspection systems.

GWLB and its registered virtual appliance instances exchange application traffic using the GENEVE (Generic Network Virtualization Encapsulation) protocol on port 6081.
operates at Layer 3 of the OSI model, the network layer.

transparently passes all Layer 3 traffic through third-party virtual appliances, and is invisible to the source and destination of the traffic.
combines a transparent network gateway (that is, a single entry and exit point for all traffic) and distributes traffic while scaling the virtual appliances with the demand.
listens for all IP packets across all ports and forwards traffic to the target group that’s specified in the listener rule.

runs within one AZ and is recommended to be deployed in multiple AZs for greater availability. If all appliances fail in one AZ, scripts can be used to either add new appliances or direct traffic to a GWLB in a different AZ.
cannot add or remove availability zones after the GWLB is created.
is architected to handle millions of requests/second, volatile traffic patterns, and introduces extremely low latency.

does not perform TLS termination and does not maintain any application state. These functions are performed by the third-party virtual appliances it directs traffic to and receives traffic from.
maintains stickiness of flows to a specific target appliance using 5-tuple (TCP/UDP flows) or 3-tuple (for non-TCP/UDP flows).
supports a maximum transmission unit (MTU) size of 8500 bytes.

supports cross-zone load balancing, which is disabled by default. You pay charges for inter-AZ data transfer if enabled.

Gateway Load Balancer Endpoint – GWLBE

GWLB uses Gateway Load Balancer endpoints – GWLBE to exchange traffic across VPC boundaries securely.
A Gateway Load Balancer endpoint is a VPC endpoint that provides private connectivity between virtual appliances in the service provider VPC and application servers in the service consumer VPC.

One GWLB can be connected to many GWLBEs.
GWLB is deployed in the same VPC as the virtual appliances.
Virtual appliances are registered with a target group for the GWLB.
Traffic to and from a GWLBE is configured using route tables.

Traffic flows from the service consumer VPC over the GWLBE to the GWLB in the service provider VPC, and then returns to the service consumer VPC
GWLBE and the application servers must be created in different subnets. This enables you to configure the GWLBE as the next hop in the route table for the application subnet.

Gateway Load Balancer Flow

Traffic from the internet to the application (blue arrows)

Traffic enters the service consumer VPC through the internet gateway.

Traffic is sent to the GWLBE, as a result of VPC ingress routing.
Traffic is sent to the GWLB for inspection through the security appliance.
Traffic is sent back to the GWLBE after inspection.
Traffic is sent to the application servers (destination subnet).

Traffic from the application to the internet (orange arrows):

Traffic is sent to the Gateway Load Balancer endpoint due to the default route configured on the application server subnet.

Traffic is sent to the GWLB for inspection through the security appliance.
Traffic is sent back to the GWLBE after inspection.
Traffic is sent to the internet gateway based on the route table configuration.
Traffic is routed back to the internet.

Gateway Load Balancer High Availability

AWS Gateway Load Balancer vs Network Firewall

AWS Certification Exam Practice Questions

References

AWS_Gateway_Load_Balancer

AWS Shield

July 3, 2022 ~ Last updated on : July 4, 2022 ~ jayendrapatil

AWS Shield

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.

AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency
AWS Shield detects the following classes of attacks
- Network Volumetric Attacks (Layer 3)
  - This is a sub category of infrastructure layer attack vectors.
  - These vectors attempt to saturate the capacity of the targeted network or resource, to deny service to legitimate users.
- Network Protocol Attacks (Layer 4)
  - This is a sub category of infrastructure layer attack vectors.
  - These vectors abuse a protocol to deny service to the targeted resource.
  - A common example of a network protocol attack is a TCP SYN flood, which can exhaust connection state on resources like servers, load balancers, or firewalls.
  - A network protocol attack can also be volumetric for e.g., a larger TCP SYN flood may intend to saturate the capacity of a network while also exhausting the state of the targeted resource or intermediate resources.
- Application Layer Attacks (Layer 7)
  - This category of attack vector attempts to deny service to legitimate users by flooding an application with queries that are valid for the target, such as web request floods.

AWS Shield Tiers

AWS Shield Standard

provides automatic protections to all customers at no additional charge
defends against the most common, frequently occurring network and transport layer DDoS attacks that target website or applications.

with CloudFront and Route 53 comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks is provided.
uses techniques such as deterministic packet filtering and priority-based traffic shaping to automatically mitigate basic network layer attacks.

AWS Shield Advanced

is a managed service that helps protect the application against external threats, like DDoS attacks, volumetric bots, and vulnerability exploitation attempts.

provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks,
provides integration with AWS WAF, a web application firewall, at no additional charge. It can create WAF rules in the WebACLs to automatically mitigate an attack, or activate them in count-only mode.
also gives 24×7 access to the AWS Shield Response Team (SRT) and protection against DDoS related spikes in the EC2, ELB, CloudFront, AWS Global Accelerator and Route 53 charges.

provides DDoS cost protection to safeguard against scaling charges resulting from DDoS-related usage spikes on protected resources.
in addition to the network and transport layer attacks, it also detects application layer (Layer 7) attacks such as HTTP floods or DNS query floods by baselining traffic on the application and identifying anomalies.
is available globally on all CloudFront, Global Accelerator, and Route 53 edge locations.

includes centralized protection management using Firewall Manager, that can automatically
- configure policies covering multiple accounts and resources
- audits accounts to find new or unprotected resources, and ensures that Shield Advanced and AWS WAF protections are universally applied.
provides complete visibility into DDoS attacks with near real-time notification through CloudWatch and detailed diagnostics on the AWS WAF and AWS Shield console or APIs.

AWS Certification Exam Practice Questions

Which AWS service has inbuilt DDoS protection inbuilt?
1. AWS Shield
2. AWS CloudWatch
3. AWS EC2
4. AWS Inspector
A media company has monetized their APIs to external third parties. During the last month, the platform has come under DDoS attacks multiple times leading to scaling of underlying instances and cost incurred. Which AWS service would help provide cost protection against such spikes, if such situations do occur in the future?
1. AWS Systems Manager
2. AWS WAF
3. AWS Shield Advanced
4. AWS Inspector
A company is hosting an important revenue generating application. On the last few occasions, the application has come under large DDoS attacks. As a result of this, a lot of users were complaining about the slowness of the application. You need to now avoid these situations in the future and now require 24×7 support from AWS if such situations do occur in the future. Which of the following service can help in this regard?
1. AWS Shield Advanced
2. AWS Inspector
3. AWS WAF
4. AWS Systems Manager

References

AWS_Shield

AWS Certificate Manager – ACM

June 30, 2022 ~ Last updated on : August 9, 2022 ~ jayendrapatil

AWS Certificate Manager – ACM

AWS Certificate Manager – ACM helps easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and internal connected resources.

AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.
AWS Certificate Manager can help quickly request a certificate, deploy it on ACM-integrated AWS resources, such as ELB, CloudFront distributions, and APIs on API Gateway, and handle certificate renewals.

ACM supports importing third-party certificates into the ACM management system.
ACM also supports the creation of private certificates for the internal resources and manages the certificate lifecycle centrally.
ACM certificates are regional resources.

ACM Limitations

does not provide certificates for anything other than the SSL/TLS protocols.

cannot use certificates for email encryption.
cannot request certificates for Amazon-owned domain names such as those ending in amazonaws.com, cloudfront.net, or elasticbeanstalk.com.
cannot download the private key for an ACM certificate.
cannot directly install certificates on the EC2 website or application
are regional resources and cannot copy a certificate between regions. To use a certificate with ELB for the same FQDN or set of FQDNs in more than one AWS region, you must request or import a certificate for each region. For certificates provided by AWS Certificate Manager, you must revalidate each domain name in the certificate for each region

with CloudFront, you must request or import the certificate in the US East (N. Virginia) region.

AWS Certification Exam Practice Questions

A company hosts an online shopping portal in the AWS Cloud. The portal provides HTTPS security by using a TLS certificate on an ELB. Recently, the portal suffered an outage because the TLS certificate expired. A SysOps administrator must create a solution to automatically renew certificates to avoid this issue in the future. What is the MOST operationally efficient solution that meets these requirements?
1. Request a public certificate by using AWS Certificate Manager. Associate the certificate from ACM with the ELB. Write a scheduled AWS Lambda function to renew the certificate every 18 months.
2. Request a public certificate by using AWS Certificate Manager. Associate the certificate from ACM with the ELB. ACM will automatically manage the renewal of the certificate.
3. Register a certificate with a third-party certificate authority (CA). Import this certificate into AWS Certificate Manager. Associate the certificate from ACM with the ELB. ACM will automatically manage the renewal of the certificate.
4. Register a certificate with a third-party certificate authority (CA). Configure the ELB to import the certificate directly from the CA. Set the certificate refresh cycle on the ELB to refresh when the certificate is within 3 months of the expiration date.

References

AWS_Certificate_Manager

AWS Secrets Manager

June 29, 2022 ~ Last updated on : June 17, 2026 ~ jayendrapatil

AWS Secrets Manager

AWS Secrets Manager helps protect secrets needed to access applications, services, and IT resources.

enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
secure secrets by encrypting them with encryption keys managed using AWS KMS.

offers native secret rotation with built-in integration for RDS, Redshift, and DocumentDB.
supports Lambda functions to extend secret rotation to other types of secrets, including API keys and OAuth tokens.
supports IAM and resource-based policies for fine-grained access control to secrets and centralized secret rotation audit for resources in the AWS Cloud, third-party services, and on-premises.

enables secret replication in multiple AWS regions to support multi-region applications and disaster recovery scenarios.
supports private access using VPC Interface endpoints
supports dual-stack (IPv4 and IPv6) endpoints for all regions.
supports BatchGetSecretValue API to retrieve up to 20 secrets in a single API call, reducing latency and API call costs.
supports cost allocation tags to categorize and track secret costs by department, team, or application in AWS Cost Explorer.

supports hybrid post-quantum TLS using ML-KEM to protect secrets against future quantum computing threats.

Secrets Manager with KMS

Encryption
- encrypts a new version of the protected secret data by requesting AWS KMS to generate a new data key from the KMS key.
- uses this data key for envelope encryption.
- stores the encrypted data key with the protected secret data.
Decryption
- requests AWS KMS to decrypt the encrypted data key
- uses the plain text data key to decrypt the protected secret data.
- never stores the data key in unencrypted form, and always disposes of the data key immediately after use.

Secrets Manager Rotation

AWS Secrets Manager enables database credential rotation on a schedule.
Supports rotation as frequently as every four hours, with configurable rotation windows using cron or rate expressions.

Rotation can be configured using:
- Managed rotation – the service configures and manages rotation automatically without Lambda functions (supported for RDS, Aurora, Redshift, DocumentDB).
- Lambda function rotation – for custom rotation logic using Lambda functions.
- Managed external secrets rotation – for third-party credentials (e.g., Salesforce, MongoDB Atlas, Confluent Cloud) without Lambda functions.
Credentials rotation does not impact the already open connections as they are not re-authenticated. Authentication happens when a connection is established.
integrates with CloudWatch Events/EventBridge to send a notification when it rotates a secret.

Rotation Strategies

Single user rotation
- Updates credentials for one user in one secret.
- The user’s password is changed in both the secret and the database.
- Recommended when cloned users don’t have the same permissions, or for ad hoc/interactive users.
- Brief period of potential sign-in failure between rotation and propagation.
Alternating users rotation
- Creates a clone user with identical privileges but different password.
- Alternates between two users on each rotation.
- Requires a separate secret with superuser credentials.
- Provides higher availability as the old version remains valid until next rotation.

Managed External Secrets

Introduced in November 2025, managed external secrets extend managed rotation to third-party SaaS credentials.
Enables centralized management and automatic rotation of credentials for third-party software providers directly from Secrets Manager.

No Lambda functions required – rotation is fully managed by Secrets Manager.
Supports standardized formats and multiple rotation strategies per SaaS provider.
Supported providers include Salesforce, MongoDB Atlas, and Confluent Cloud (expanding).

Eliminates the need for provider-specific custom rotation logic.

Secrets Manager Agent & Workload Credentials Provider

Secrets Manager Agent (released July 2024)
- Language-agnostic local HTTP service that pulls and caches secrets in compute environments.
- Exposes a localhost endpoint (port 2773) for applications to retrieve secrets from in-memory cache.
- Reduces API calls and improves application availability.
- Default cache TTL of 300 seconds (configurable).
- Open source and supports pre-fetching secrets at startup and IAM role assumption (May 2026).
- Supports hybrid post-quantum TLS (ML-KEM) by default since version 2.0.
- Works with EC2, ECS, EKS, Lambda, and on-premises/multi-cloud environments.
AWS Workload Credentials Provider (released June 2026)
- Unified lightweight client-side provider that automates deployment of ACM certificates and caching of Secrets Manager secrets.
- Maintains full backwards compatibility with Secrets Manager Agent.
- Works across AWS and non-AWS workloads through a single unified provider.
- Uses post-quantum ML-KEM key exchange by default.

Secrets Manager Security Features

Post-Quantum TLS
- Supports hybrid post-quantum key exchange using ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism) for TLS connections.
- Combines traditional cryptography (X25519) with post-quantum algorithms to protect against “harvest now, decrypt later” threats.
- Service-side support launched in 2025; client-side support extended in April 2026.
- Secrets at rest are already quantum-safe (symmetric encryption via KMS).
API Rate Limits (March 2025)
- GetSecretValue: up to 10,000 requests per second
- DescribeSecret: up to 40,000 requests per second
Managed Policies
- SecretsManagerReadWrite – full access including redshift-serverless permission (March 2024).
- AWSSecretsManagerClientReadOnlyAccess – read-only access for client applications, includes BatchGetSecretValue and ListSecrets (November 2025, updated June 2026).

Client-Side Caching

Caching libraries available for Java, Python, .NET, Go, and Rust.
Improves speed, availability, and reduces costs by minimizing API calls.

Default cache refresh interval is one hour (configurable).
Does not include cache invalidation – if a secret rotates before TTL expires, stale values may be returned.
For containerized workloads, client-side caching allows credential rotation without restarting containers.

Secrets Manager vs Systems Manager Parameter Store

Key Differences:
- Secrets Manager is designed specifically for secrets with built-in rotation; Parameter Store is a general-purpose configuration store.
- Secrets Manager supports managed rotation (no Lambda needed for supported databases); Parameter Store requires custom Lambda for rotation.
- Secrets Manager charges per secret ($0.40/month) and per API call ($0.05/10K calls); Parameter Store Standard tier is free.
- Secrets Manager supports cross-region replication natively; Parameter Store does not.
- Secrets Manager supports BatchGetSecretValue; Parameter Store supports GetParameters (up to 10).
AWS Recommendation (2025): Use Secrets Manager for secrets, Parameter Store for simple key-value configuration, and AWS AppConfig for feature flags and advanced dynamic configuration.

AWS Certification Exam Practice Questions

Which AWS service makes it easy for you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle?
1. AWS WAF
2. AWS Secrets Manager
3. AWS Systems Manager
4. AWS Shield
A company uses Amazon RDS for PostgreSQL databases for its data tier. The company must implement password rotation for the databases. Which solution meets this requirement with the LEAST operational overhead?
1. Store the password in AWS Secrets Manager. Enable automatic rotation on the secret.
2. Store the password in AWS Systems Manager Parameter Store. Enable automatic rotation on the parameter.
3. Store the password in AWS Systems Manager Parameter Store. Write an AWS Lambda function that rotates the password.
4. Store the password in AWS Key Management Service (AWS KMS). Enable automatic rotation on the customer master key (CMK).

A company has multiple applications that retrieve database credentials from AWS Secrets Manager at a high rate, causing throttling. Which approach should the company use to address this issue with MINIMAL code changes?
1. Increase the Secrets Manager service quota for API calls.
2. Implement client-side caching using the Secrets Manager caching library or deploy the Secrets Manager Agent for local caching.
3. Store credentials in Systems Manager Parameter Store instead.
4. Replicate the secrets to additional regions and distribute read traffic.

A company needs to manage and rotate credentials for multiple third-party SaaS applications (Salesforce, MongoDB Atlas) with the LEAST operational overhead. Which approach should they use?
1. Write custom Lambda rotation functions for each SaaS provider.
2. Store credentials in Parameter Store and use EventBridge rules for rotation.
3. Use AWS Secrets Manager managed external secrets for automated rotation without Lambda functions.
4. Build a custom rotation service running on ECS.

A company wants to protect its secrets in transit against future quantum computing threats. Which feature of AWS Secrets Manager addresses this requirement?
1. Use customer-managed KMS keys for encryption at rest.
2. Enable secret replication across multiple regions.
3. Use hybrid post-quantum TLS with ML-KEM for Secrets Manager API connections.
4. Enable automatic secret rotation every 4 hours.
A company runs applications on-premises and in AWS. They need a language-agnostic way to retrieve secrets locally without modifying application code to use the AWS SDK. Which solution provides this capability?
1. Use AWS Systems Manager Parameter Store with the SSM agent.
2. Embed secrets in environment variables at deployment time.
3. Deploy the AWS Secrets Manager Agent (or Workload Credentials Provider) for local HTTP-based secret retrieval with in-memory caching.
4. Use AWS Lambda to periodically fetch and write secrets to a local file.

AWS Route 53

Supported DNS Resource Record Types

Alias Resource Record Sets

Route 53 Alias vs CNAME

Route 53 Hosted Zone

Route 53 Health Checks

Route 53 Routing Policies

Route 53 Resolver

Route 53 Global Resolver (New – GA March 2026)

Route 53 Profiles (New – April 2024)

Route 53 Split-view (Split-horizon) DNS

Route 53 DNSSEC

Route 53 Resolver DNS Firewall

Route 53 Application Recovery Controller (ARC)

Route 53 Logging

Route 53 Resolver Endpoints – DNS Delegation (New – June 2025)

AWS Certification Exam Practice Questions

Further Reading

Amazon OpenSearch

OpenSearch Service Domain

OpenSearch Security

OpenSearch Storage Tiers

OpenSearch Cross-Cluster Replication

AWS Certification Exam Practice Questions

References

AWS ElastiCache – Valkey vs Redis OSS vs Memcached

🔄 Major Update (2024-2026): Valkey is Now the Recommended Engine

Memcached

Valkey (Recommended for New Workloads)

Redis OSS (Maintenance Track)

ElastiCache Serverless

Valkey Version Highlights

Comparison Table: Valkey/Redis OSS vs Memcached

AWS Certification Exam Practice Questions

References

AWS Transfer Family

Endpoint Types

AS2 Protocol Support

SFTP Connectors

Transfer Family Web Apps

Managed Workflows (MFTW)

Security and Encryption

Monitoring and Logging

AWS Certification Exam Practice Questions

References

AWS DataSync

DataSync Task Modes

DataSync Supported Locations

Cross-Cloud Transfers

DataSync Manifests

DataSync Task Reports

DataSync Security Features

DataSync Agents

AWS Certification Exam Practice Questions

References

AWS CloudFront vs Global Accelerator

Key Feature Differences (Summary Table)

Recent Feature Updates (2024-2026)

CloudFront Updates

Global Accelerator Updates

When to Use Which

AWS Certification Exam Practice Questions

References

AWS Gateway Load Balancer – GWLB

Gateway Load Balancer Endpoint – GWLBE

Gateway Load Balancer Flow

Traffic from the internet to the application (blue arrows)

Traffic from the application to the internet (orange arrows):

Gateway Load Balancer High Availability

AWS Certification Exam Practice Questions

References

AWS Shield

AWS Shield Tiers

AWS Shield Standard

AWS Shield Advanced

AWS Certification Exam Practice Questions

References

AWS Certificate Manager – ACM

ACM Limitations

AWS Certification Exam Practice Questions