AWS Certification Exam Cheat Sheet

AWS Certification Exam Cheat Sheet

AWS Certification Exams cover a lot of topics and a wide range of services with minute details for features, patterns, anti patterns and their integration with other services. This blog post is just to have a quick summary of all the services and key points for a quick glance before you appear for the exam.

AWS Global Infrastructure

AWS Region, AZs, Edge locations

• Each region is a separate geographic area, completely independent, isolated from the other regions & helps achieve the greatest possible fault tolerance and stability
• AWS Cloud spans 123 Availability Zones within 39 Geographic Regions (as of 2026), with announced plans for additional Regions in Kingdom of Saudi Arabia and Chile
• Communication between regions is across the AWS global network (private fiber backbone, not public Internet)
• Each region has multiple Availability Zones (minimum 3 AZs for newer regions)
• Each AZ is physically isolated, geographically separated from each other and designed as an independent failure zone
• AZs are connected with low-latency private links (not public internet)
• Edge locations are locations maintained by AWS through a worldwide network of data centers for the distribution of content to reduce latency.
• New Regions launched (2024-2025): Canada West (Calgary), Asia Pacific (Malaysia), Asia Pacific (Thailand), Mexico (Central), Asia Pacific (Taipei), Asia Pacific (New Zealand)

AWS Local Zones

• AWS Local Zones place select AWS services closer to end-users, which allows running highly-demanding applications that require single-digit millisecond latencies to the end-users such as media & entertainment content creation, real-time gaming, machine learning etc.
• AWS Local Zones provide a high-bandwidth, secure connection between local workloads and those running in the AWS Region, allowing you to seamlessly connect to the full range of in-region services through the same APIs and tool sets.
• 30+ Local Zone locations available across six continents (as of 2026)

AWS Dedicated Local Zones

• Dedicated Local Zones are a type of on-premises infrastructure managed and operated exclusively by AWS for a single customer or community
• Designed for customers with stringent digital sovereignty, data residency, and compliance requirements (e.g., government classified workloads)
• Can be operated by local AWS personnel with additional security and governance features
• Provides same benefits as Local Zones: elasticity, scalability, pay-as-you-go pricing

AWS Wavelength

• AWS infrastructure deployments embed AWS compute and storage services within the telecommunications providers’ datacenters and help seamlessly access the breadth of AWS services in the region.
• AWS Wavelength brings services to the edge of the 5G network, without leaving the mobile provider’s network reducing the extra network hops, minimizing the latency to connect to an application from a mobile device.
• Available with multiple carrier partners globally including Verizon, Vodafone, KDDI, SK Telecom, and Bell Canada
• Wavelength Zones available in Africa (Morocco) and Senegal in addition to existing locations in US, Europe, Asia, and Canada
• Built on AWS Nitro System, sovereign-by-design providing verifiable security boundary

AWS Outposts

• AWS Outposts bring native AWS services, infrastructure, and operating models to virtually any data center, co-location space, or on-premises facility.
• AWS Outposts is designed for connected environments and can be used to support workloads that need to remain on-premises due to low latency, compliance or local data processing needs.
• Available in two form factors: Outposts Racks (full 42U rack) and Outposts Servers (1U/2U for space-constrained environments)
• Second-generation Outposts Racks (GA April 2025) provide:
  • Latest x86-powered EC2 instances (C7i, M7i, R7i, and C8i, M8i, R8i)
  • Up to 40% better performance compared to first-generation instances
  • Simplified network scaling and configuration
  • Accelerated networking instances for ultra-low latency workloads
  • Native L2/L3 multicast, Precision Time Protocol (PTP) support
  • Available in 70+ countries

AWS European Sovereign Cloud

• New independent cloud for Europe designed to meet stringent data residency, operational autonomy, and resiliency requirements
• First Region launched in Germany (2025), available to all customers
• Physically and logically separate from existing AWS Regions
• Operated and supported exclusively by EU-resident AWS employees

Refer details @ AWS Global Infrastructure

AWS Services

• AWS Security & Identity Service Cheat Sheet
• AWS Networking Services Cheat Sheet
• AWS Compute Services Cheat Sheet
• AWS Storage & Content Delivery Cheat Sheet
• AWS Database Services Cheat Sheet
• AWS Analytics Services Cheat Sheet
• AWS Application Services Cheat Sheet
• AWS Management Tools Cheat Sheet

AWS Organizations

• AWS Organizations offers policy-based management for multiple AWS accounts
• Organizations allows creation of groups of accounts and then apply policies to those groups
• Organizations enables you to centrally manage policies across multiple accounts, without requiring custom scripts and manual processes.
• Organizations helps simplify the billing for multiple accounts by enabling the setup of a single payment method for all the accounts in the organization through consolidated billing
• Policy Types available:
  • Service Control Policies (SCPs) – set maximum permissions for IAM users and roles in member accounts
  • Resource Control Policies (RCPs) – (launched Nov 2024) centrally restrict external access to AWS resources (S3, STS, KMS, SQS, Secrets Manager, and more)
  • Declarative Policies – (launched Dec 2024) define and enforce desired service configuration at scale (e.g., block public access for VPCs/EBS snapshots) with custom error messages
  • Tag Policies – enforce standardized tags across organization resources
  • Backup Policies – centrally manage backup plans
  • AI Services Opt-out Policies – control whether AWS AI services can store/use content
• RCPs complement SCPs: SCPs control who can access, RCPs control what can be accessed
• Declarative policies maintain enforcement even as new features or APIs are added

Consolidated Billing

• Management account (formerly Paying/Payer account) with multiple linked member accounts
• Management account is independent and should be only used for billing purpose
• Management account cannot access resources of other accounts unless given exclusively access through Cross Account roles
• All linked accounts are independent and soft limit of 20
• One bill per AWS account
• Provides Volume pricing discount for usage across the accounts
• Allows unused Reserved Instances and Savings Plans to be applied across the group
• Free tier is not applicable across the accounts
• AWS Billing Conductor allows customizing billing rates, distributing credits/fees, and shared overhead costs for showback/chargeback use cases

Tags & Resource Groups

• Are metadata, specified as key/value pairs with the AWS resources
• Are for labelling purposes and helps managing, organizing resources
• Can be inherited when created by Auto Scaling, CloudFormation, Elastic Beanstalk etc
• Can be used for
  • Cost allocation to categorize and track the AWS costs
  • Conditional Access Control policy to define permission to allow or deny access on resources based on tags (ABAC – Attribute-Based Access Control)
  • Automation – target resources for Systems Manager operations
  • Operations – filter resources in CloudWatch, Config, and Systems Manager
• Resource Group is a collection of resources that share one or more tags
• Tag Policies (via AWS Organizations) enforce standardized tagging across accounts
• Tag Editor allows bulk managing tags across multiple resources and regions

IDS/IPS

• Promiscuous mode is not allowed, as AWS and Hypervisor will not deliver any traffic to instances this is not specifically addressed to the instance
• IDS/IPS strategies
  • Host Based Firewall – Forward Deployed IDS where the IDS itself is installed on the instances
  • Host Based Firewall – Traffic Replication where IDS agents installed on instances which send/duplicate the data to a centralized IDS system
  • In-Line Firewall – Inbound IDS/IPS Tier (like a WAF configuration) which identifies and drops suspect packets
• AWS Network Firewall (recommended managed service for IDS/IPS):
  • Stateful, managed network firewall and IDS/IPS for VPC
  • Supports Suricata-compatible IDS/IPS rules
  • AWS Managed Rule Groups provide threat intelligence-based blocking
  • Marketplace partner managed rules with up to 10M domain indicators and 1M IP addresses
  • Supports domain filtering, IP filtering, protocol inspection, and pattern matching
  • Integrates with AWS Firewall Manager for centralized policy management across accounts
  • Supports VPC Traffic Mirroring for passive IDS analysis
• Amazon GuardDuty provides intelligent threat detection (IDS) analyzing VPC Flow Logs, DNS logs, CloudTrail events, EKS audit logs, and more

DDoS Mitigation

• Minimize the Attack surface
  • use ELB/CloudFront/Route 53 to distribute load
  • maintain resources in private subnets and use Bastion servers or Systems Manager Session Manager
• Scale to absorb the attack
  • scaling helps buy time to analyze and respond to an attack
  • auto scaling with ELB to handle increase in load to help absorb attacks
  • CloudFront, Route 53 inherently scales as per the demand
• Safeguard exposed resources
  • use Route 53 for aliases to hide source IPs and Private DNS
  • use CloudFront geo restriction and Origin Access Control (OAC, replaces OAI)
  • use WAF as part of the infrastructure
• Learn normal behavior (IDS/WAF)
  • analyze and benchmark to define rules on normal behavior
  • use CloudWatch
• Create a plan for attacks
• AWS Shield Standard
  • Automatically included for all AWS customers at no additional cost
  • Protects against most common Layer 3/4 DDoS attacks
  • Always-on network flow monitoring with traffic signatures and anomaly detection
• AWS Shield Advanced
  • Managed DDoS protection with 24/7 Shield Response Team (SRT) access
  • Protects EC2, ELB, CloudFront, Global Accelerator, and Route 53 resources
  • DDoS cost protection (credits for scaling charges during attacks)
  • Automatic application layer (L7) DDoS mitigation with WAF integration
  • DDoS attack flow logs (launched May 2026) for detailed attack analysis
  • Health-based detection using Route 53 health checks for faster, more accurate response
• AWS WAF Application Layer DDoS Protection (launched June 2025) – automatic L7 DDoS detection and mitigation as an AWS Managed Rule group for CloudFront and ALB

AWS Services Region, AZ, Subnet VPC limitations

• Services like IAM (user, role, group, SSL certificate), Route 53, STS, CloudFront, WAF (Global), and Organizations are Global and available across regions
• All other AWS services are limited to Region or within Region and do not exclusively copy data across regions unless configured
• AMI are limited to region and need to be copied over to other region
• EBS volumes are limited to the Availability Zone, and can be migrated by creating snapshots and copying them to another region
• Reserved Instances are limited to the Region (can be modified across AZs within same region) and cannot be migrated to another region
• Savings Plans apply automatically across regions regardless of instance type (Compute Savings Plans)
• RDS instances are limited to the region and can be recreated in a different region by either using snapshots or promoting a Read Replica
• Placement groups:
  • Cluster Placement groups are limited to single Availability Zone
  • Spread Placement groups can span across multiple Availability Zones
  • Partition Placement groups can span across multiple Availability Zones
• S3 data is replicated within the region and can be moved to another region using Cross-Region Replication (CRR). S3 Multi-Region Access Points accelerate multi-region access via AWS Global Accelerator
• DynamoDB maintains data within the region and can be replicated to another region using DynamoDB Global Tables (multi-active, multi-region). Supports Multi-Region Strong Consistency (MRSC) for zero RPO (GA 2025)
• Redshift Cluster span within an Availability Zone only, and can be created in other AZ using snapshots

Disaster Recovery Whitepaper

• RTO is the time it takes after a disruption to restore a business process to its service level and RPO acceptable amount of data loss measured in time before the disaster occurs
• Techniques (RTO & RPO reduces and the Cost goes up as we go down)
  • Backup & Restore – Data is backed up and restored, with nothing running
  • Pilot light – Only minimal critical service like RDS is running and rest of the services can be recreated and scaled during recovery
  • Warm Standby – Fully functional site with minimal configuration is available and can be scaled during recovery
  • Multi-Site / Active-Active – Fully functional site with identical configuration is available and processes the load
• Services
  • Region and AZ to launch services across multiple facilities
  • EC2 instances with the ability to scale and launch across AZs
  • EBS with Snapshot to recreate volumes in different AZ or region
  • AMI to quickly launch preconfigured EC2 instances
  • ELB and Auto Scaling to scale and launch instances across AZs
  • VPC to create private, isolated section
  • Elastic IP address as static IP address
  • ENI with pre allocated Mac Address
  • Route 53 is highly available and scalable DNS service to distribute traffic across EC2 instances and ELB in different AZs and regions
  • AWS Global Accelerator for automatic failover across regions
  • Direct Connect for speed data transfer (takes time to setup and expensive then VPN)
  • S3 and Glacier (with RTO of 3-5 hours) provides durable storage
  • RDS snapshots and Multi AZ support and Read Replicas across regions
  • Aurora Global Database for cross-region replication with <1 second lag
  • DynamoDB Global Tables for multi-region, multi-active replication
  • Redshift snapshots to recreate the cluster
  • Storage Gateway to backup the data in AWS
  • AWS Snow Family (Snowball Edge) for large data transfers – note: no longer available to new customers as of Nov 2025; use AWS DataSync or AWS Data Transfer Terminal instead
  • CloudFormation, Elastic Beanstalk and OpsWorks as orchestration tools for automation and recreate the infrastructure
• AWS Elastic Disaster Recovery (AWS DRS)
  • Replaces CloudEndure Disaster Recovery
  • Minimizes downtime and data loss with continuous block-level replication
  • Supports on-premises to AWS, cloud to AWS, and cross-region/cross-AZ DR
  • Uses cost-effective staging area (minimal compute + EBS) until failover
  • Point-in-time recovery for RPO in seconds
  • Non-disruptive DR drills without impacting source
• AWS Resilience Hub
  • Central service to define RTO/RPO targets for applications
  • Assesses resilience posture against defined goals
  • Next-gen (GA May 2026) includes generative AI-powered failure mode analysis, dependency discovery, and organization-wide reporting
  • Provides recommendations based on AWS Well-Architected Framework