AWS Security Services Architecture – GuardDuty, Security Hub, Inspector & Detective

AWS Security Services Architecture — Overview

AWS provides a layered security services ecosystem for threat detection, vulnerability management, investigation, and centralized security posture management. Understanding how GuardDuty, Security Hub, Inspector, Detective, and Macie work together is essential for SCS-C03 and frequently tested on SAP-C02.

AWS Security Services — Detection, Investigation & Response
── Detection Layer ──
GuardDuty
Threat detection
VPC Flow Logs
DNS Logs | CloudTrail
EKS/S3/Lambda/RDS
Runtime monitoring
Inspector
Vulnerability scanning
EC2 (CVEs, patches)
ECR images
Lambda functions
Software Bill of Materials
Macie
Data classification
PII/PHI discovery
S3 bucket scanning
Sensitive data alerts
Automated discovery
IAM Access Analyzer
External access detection
Policy validation
Unused access findings
Custom policy checks
Cross-account sharing
↓ Findings flow to ↓
── Aggregation & Posture ──
AWS Security Hub
Central dashboard | Aggregates all findings | Compliance checks (CIS, PCI-DSS, NIST)
Automated actions via EventBridge | Cross-account/cross-region aggregation
Detective
Investigation
Graph analysis
Visualize entity behavior
Root cause analysis
12-month history
EventBridge
Automated response
Finding → Lambda
Isolate instance
Revoke credentials
Create ticket
AWS Config
Compliance monitoring
Resource configuration
Rules + Remediation
Config history
Conformance packs

Service Comparison

Service What It Does Data Sources Output
GuardDuty Detects active threats and malicious behavior VPC Flow Logs, DNS, CloudTrail, S3, EKS, RDS, Lambda, Runtime Findings (cryptocurrency mining, port scanning, compromised creds, malware)
Inspector Finds software vulnerabilities (CVEs) EC2 instances (SSM Agent), ECR images, Lambda code Findings with CVE ID, severity, remediation (patch/update)
Macie Discovers sensitive data in S3 S3 bucket objects (scans content) Findings (PII, PHI, credentials, financial data locations)
IAM Access Analyzer Identifies overly permissive access IAM policies, resource policies, KMS grants, S3 buckets Findings (external/public access, unused permissions)
Security Hub Aggregates + prioritizes all security findings GuardDuty, Inspector, Macie, Config, Firewall Manager, 3rd party Unified dashboard, compliance scores, automated actions
Detective Investigates and visualizes security incidents GuardDuty findings, CloudTrail, VPC Flow Logs (12-month graph) Entity relationship graphs, behavior timelines, root cause
Config Monitors resource configuration compliance All AWS resource configurations (records changes) Compliance status, non-compliant resources, remediation actions

How They Work Together

  1. GuardDuty detects a compromised EC2 instance (cryptocurrency mining activity)
  2. Security Hub receives the finding, correlates with Inspector findings (unpatched CVE on same instance)
  3. EventBridge triggers automated response Lambda (isolates instance via Security Group change)
  4. Detective investigates — shows what the compromised instance communicated with, what IAM calls it made, timeline of suspicious behavior
  5. Config records the Security Group change for audit trail

Multi-Account Security Architecture

  • Delegated Administrator: Designate a Security Tooling account as delegated admin for GuardDuty, Security Hub, Inspector, Macie (not the management account)
  • Auto-enable: New member accounts automatically enrolled in all security services
  • Cross-region aggregation: Security Hub can aggregate findings from all regions into a single region
  • Centralized logging: All findings → Security Hub → EventBridge → S3 (Log Archive account) for SIEM integration

Automated Response Patterns

Finding Automated Response Services Used
Compromised EC2 instance Isolate via Security Group (deny all inbound/outbound) GuardDuty → EventBridge → Lambda → EC2 API
Compromised IAM credentials Disable access key + attach deny-all policy GuardDuty → EventBridge → Lambda → IAM API
Public S3 bucket detected Block public access (put bucket policy) Config Rule → SSM Automation → S3 API
Critical CVE found on EC2 Patch via SSM Patch Manager Inspector → EventBridge → SSM Run Command
PII found in S3 bucket Quarantine bucket + notify compliance team Macie → EventBridge → Lambda → S3/SNS

Exam Tips

Exam Key Points
SCS-C03 GuardDuty data sources (know all 8), Security Hub compliance standards (CIS, PCI, NIST), Detective for investigation, automated remediation with EventBridge+Lambda, delegated admin pattern, Macie for S3 PII, Config rules vs conformance packs
SAP-C02 Which service for which detection type, multi-account security architecture, centralized logging to Log Archive, automated response patterns, service selection based on requirements

AWS Certification Exam Practice Questions

Question 1:

A security team receives a GuardDuty finding that an EC2 instance is communicating with a known command-and-control (C2) server. They need to immediately contain the threat AND preserve forensic evidence. What should the automated response do?

  1. Terminate the instance immediately
  2. Change the Security Group to deny all traffic (isolate) but keep the instance running
  3. Take an AMI snapshot and then terminate the instance
  4. Remove the instance from its Auto Scaling Group
Show Answer

Answer: B — Isolating the instance by changing its Security Group to deny all inbound and outbound traffic immediately stops the C2 communication while preserving the instance for forensic investigation (memory dumps, disk analysis, process listing). Terminating would destroy evidence. The forensics team can later snapshot and investigate the isolated instance.

Question 2:

A company needs to ensure all EC2 instances across 50 accounts are scanned for software vulnerabilities (CVEs) automatically, with findings centralized in one place. Which architecture achieves this with LEAST operational overhead?

  1. Install vulnerability scanning agents on all EC2 instances manually
  2. Amazon Inspector with delegated admin in Security Tooling account, auto-enable for all org accounts, findings to Security Hub
  3. AWS Config rules checking for unpatched software
  4. GuardDuty Malware Protection scanning all instances
Show Answer

Answer: B — Inspector automatically discovers and scans EC2 instances (via SSM Agent, already installed on most AMIs), ECR images, and Lambda functions for CVEs. Delegated admin in the Security Tooling account auto-enables for all member accounts. Findings flow to Security Hub for centralized view. Zero manual agent installation — Inspector uses the existing SSM Agent.

Question 3:

A compliance team needs to verify that no S3 bucket in the organization contains unencrypted PII (Social Security numbers, credit card numbers). They need ongoing monitoring, not just a one-time scan. Which service provides this?

  1. AWS Config rule checking S3 encryption settings
  2. Amazon Macie with automated sensitive data discovery
  3. S3 access logging analysis with Athena
  4. GuardDuty S3 protection
Show Answer

Answer: B — Macie uses ML and pattern matching to scan S3 object CONTENTS for sensitive data (SSNs, credit cards, passwords, etc.). Automated discovery mode continuously scans new/modified objects. It reports exactly which objects contain PII and where. Config only checks bucket-level settings (encryption enabled), not content. GuardDuty detects threats, not data classification.

Question 4:

After GuardDuty detects suspicious API calls from an IAM user’s access keys, a security analyst needs to understand: what other resources did this user access in the last 30 days? What was their normal behavior pattern vs current anomaly? Which service provides this investigation capability?

  1. CloudTrail Lake with SQL queries
  2. Amazon Detective with entity behavior graphs
  3. Security Hub finding details
  4. CloudWatch Logs Insights
Show Answer

Answer: B — Detective builds behavior graphs from 12 months of data (CloudTrail, VPC Flow Logs, GuardDuty findings). It visualizes entity relationships and timelines, shows normal vs anomalous behavior patterns, and identifies what resources an entity accessed. You can pivot directly from a GuardDuty finding to Detective for investigation. CloudTrail Lake provides raw query capability but not behavioral analysis or visualization.

Question 5:

A company uses Security Hub with CIS AWS Foundations Benchmark. They want non-compliant findings to be automatically remediated (e.g., disable unused access keys, enable S3 encryption). What is the recommended automation architecture?

  1. Security Hub → SNS → manual review → manual fix
  2. Security Hub → EventBridge rules (filter by finding type) → SSM Automation documents (remediation)
  3. AWS Config auto-remediation rules for each check
  4. Lambda scheduled to scan Security Hub findings hourly and fix them
Show Answer

Answer: B — Security Hub sends findings to EventBridge in real-time. EventBridge rules filter by finding type (e.g., “CIS.1.4 – Access keys rotated”) and trigger SSM Automation documents that perform the remediation. This is event-driven, immediate, and scalable. Config auto-remediation (C) also works for Config-native rules but Security Hub aggregates findings from multiple sources beyond just Config.

Related Architecture Patterns

Related Posts

References

Frequently Asked Questions

What is the difference between GuardDuty and Inspector?

GuardDuty detects active threats and malicious behavior (someone attacking you NOW — C2 communication, brute force, cryptocurrency mining). Inspector finds vulnerabilities that COULD be exploited (unpatched CVEs, misconfigured software). GuardDuty = “you’re being attacked.” Inspector = “you’re vulnerable to attack.”

Do I need both Security Hub and GuardDuty?

Yes — they serve different roles. GuardDuty is a detection engine that generates findings. Security Hub is an aggregation and management platform that collects findings from GuardDuty AND Inspector, Macie, Config, Firewall Manager, and third-party tools. Security Hub provides the unified dashboard, compliance scoring, and automated action triggers.

What is the delegated administrator pattern?

Instead of managing security services from the management account (which should have minimal workloads), you designate a Security Tooling account as delegated admin for GuardDuty, Security Hub, Inspector, and Macie. This account manages security across all org members without needing access to the management account.

Kinesis vs MSK (Managed Kafka) – Streaming Comparison

Kinesis vs MSK (Managed Kafka) — Overview

AWS offers two managed streaming platforms: Amazon Kinesis Data Streams (AWS-native, serverless option) and Amazon MSK (managed Apache Kafka). Both handle real-time data streaming but differ in complexity, ecosystem, pricing, and operational model. This comparison is relevant for SAP-C02 (architecture selection) and MLA-C01 (data ingestion for ML).

Kinesis Data Streams vs Amazon MSK
Amazon Kinesis Data Streams
AWS-Native Streaming
Shard-based (provisioned or on-demand)
AWS SDK producers / KCL consumers
Lambda integration (event source)
Enhanced Fan-Out (dedicated throughput)
Retention: 24h–365d
Serverless option (on-demand mode)
Simpler • AWS-native • Serverless
Amazon MSK (Managed Kafka)
Managed Apache Kafka
Partition-based (broker clusters)
Kafka protocol (any Kafka client)
Kafka Connect (100+ connectors)
Consumer groups (flexible scaling)
Retention: Unlimited (tiered storage)
MSK Serverless option available
Kafka ecosystem • Portable • Flexible

Feature Comparison

Feature Kinesis Data Streams Amazon MSK
Protocol AWS SDK (PutRecord API) Apache Kafka protocol (any Kafka client)
Scaling unit Shards (1MB/s in, 2MB/s out per shard) Partitions + brokers (scale independently)
Scaling mode On-demand (auto) or Provisioned (manual) Add brokers/partitions (MSK Serverless auto-scales)
Retention 24 hours default, up to 365 days Unlimited (tiered storage to S3)
Consumer model KCL, Lambda, Enhanced Fan-Out Consumer groups (unlimited consumers per topic)
Multiple consumers Enhanced Fan-Out (dedicated 2MB/s per consumer) Consumer groups (each reads all partitions independently)
Connectors Limited (Firehose for delivery, Lambda for processing) Kafka Connect (100+ source/sink connectors)
Stream processing Managed Flink, Lambda Kafka Streams, Managed Flink, ksqlDB
Ordering Per shard (partition key based) Per partition (message key based)
Exactly-once At-least-once (dedup at consumer) Exactly-once semantics (EOS) with transactions
Encryption KMS at rest, TLS in transit KMS at rest, TLS in transit, SASL/SCRAM auth
Serverless option On-demand mode (fully serverless) MSK Serverless (auto-scaling, pay per data)
Infrastructure Fully managed (no servers/clusters) Managed brokers (you choose instance types) or Serverless
Portability AWS-only (proprietary API) Kafka-compatible (move to/from any Kafka deployment)

Decision Guide

Choose Kinesis When Choose MSK When
You want serverless, fully managed with zero ops You already have Kafka expertise and existing Kafka consumers/producers
Lambda is your primary consumer You need 100+ connectors via Kafka Connect ecosystem
AWS-native integration is priority (Firehose, Analytics) You need exactly-once semantics (transactions)
Low-moderate throughput (<10 MB/s) High throughput (100+ MB/s, many partitions)
Quick setup, no Kafka knowledge on team Multi-cloud/hybrid portability (same Kafka code runs anywhere)
Short retention sufficient (≤365 days) Unlimited retention needed (tiered storage to S3)

Architecture Patterns

Pattern 1: Kinesis — Real-time Analytics Pipeline

  • Flow: IoT devices → Kinesis Data Streams → Managed Flink (windowed aggregation) → DynamoDB/Redshift
  • Why Kinesis: Serverless (on-demand mode), Lambda integration for lightweight processing, Firehose for direct S3/Redshift delivery

Pattern 2: MSK — Event Backbone for Microservices

  • Flow: 20 microservices produce → MSK topics → Consumer groups per team → Each team processes independently
  • Why MSK: Kafka Connect pulls from databases (CDC), consumer groups allow unlimited independent readers, Kafka Streams for stateful processing

Pattern 3: MSK → Kinesis Firehose (Best of Both)

  • Flow: MSK (high-throughput streaming backbone) → Firehose (managed delivery to S3/Redshift/OpenSearch)
  • Why: Kafka ecosystem for producers/consumers + Firehose’s auto-batching, compression, and format conversion for lake/warehouse delivery

Pricing Comparison

Model Kinesis MSK
Provisioned $0.015/shard-hour + $0.014/million PUT Broker instance-hour ($0.21-$2.16/hr depending on type) + storage
Serverless $0.04/GB ingested + $0.04/GB retrieved $0.10/hr per partition + $0.10/GB data in/out
Cheapest at low volume ✅ (on-demand scales to zero cost) More expensive at low throughput (minimum broker cost)

Rule of thumb: Kinesis is cheaper below ~5 MB/s. MSK becomes more cost-effective above ~50 MB/s with provisioned brokers + Graviton instances.

Exam Tips

Exam Key Points
SAP-C02 “Existing Kafka workload” or “Kafka expertise” → MSK. “Serverless streaming” or “Lambda consumer” → Kinesis. “Multiple independent consumers” → MSK consumer groups OR Kinesis Enhanced Fan-Out. “Migrate from self-managed Kafka” → MSK (same code).
MLA-C01 Kinesis for ML feature streaming (real-time feature ingestion to Feature Store). MSK for high-volume training data pipelines. Both feed Managed Flink for stream processing before ML.

AWS Certification Exam Practice Questions

Question 1:

A company is migrating from self-managed Apache Kafka on EC2 to a managed service. They have 30+ microservices using Kafka producers/consumers with custom Kafka Connect connectors. They want to minimize code changes. Which service should they use?

  1. Amazon Kinesis Data Streams (rewrite producers to use AWS SDK)
  2. Amazon MSK (drop-in Kafka replacement, same client code)
  3. Amazon SQS FIFO (provides ordering like Kafka)
  4. Amazon EventBridge (replace Kafka topics with event bus rules)
Show Answer

Answer: B — MSK is managed Apache Kafka. Existing Kafka producers, consumers, and Connect connectors work with zero code changes — just point to new MSK bootstrap servers. Kinesis would require rewriting all 30+ services to use the AWS SDK. The “minimize code changes” requirement makes MSK the clear answer.

Question 2:

A startup needs real-time clickstream processing. They want the simplest, most serverless approach: data arrives → process in real-time → deliver to S3 in Parquet format. No Kafka expertise on the team. Which combination is simplest?

  1. MSK Serverless → Kafka Streams → S3 sink connector
  2. Kinesis Data Streams (on-demand) → Lambda → S3
  3. Kinesis Data Streams → Kinesis Data Firehose → S3 (Parquet conversion built-in)
  4. MSK → Managed Flink → S3
Show Answer

Answer: C — Kinesis Data Streams (on-demand = serverless, no shard management) → Firehose (auto-batches, converts to Parquet, delivers to S3). Zero servers, zero Kafka knowledge, built-in Parquet conversion. The entire pipeline is fully managed. MSK requires Kafka expertise the team doesn’t have.

Question 3:

A financial platform needs exactly-once processing guarantees for payment events. Events must be processed exactly one time, even if producers retry. Which streaming option provides this natively?

  1. Kinesis Data Streams with deduplication in Lambda consumer
  2. Amazon MSK with Kafka transactions (exactly-once semantics)
  3. SQS FIFO queue with deduplication ID
  4. EventBridge with archive ensuring no duplicates
Show Answer

Answer: B — Apache Kafka (MSK) provides native exactly-once semantics (EOS) through idempotent producers + transactional consumers. The Kafka protocol guarantees each record is written and consumed exactly once without application-level deduplication. Kinesis is at-least-once (consumer must handle deduplication). SQS FIFO has 5-minute dedup but isn’t a streaming platform.

Question 4:

A company streams 500 MB/s of log data from 1000 servers. They need 30 days retention and 5 independent consumer applications reading the same data. Which is MOST cost-effective?

  1. Kinesis with 500 shards + Enhanced Fan-Out for 5 consumers
  2. MSK Provisioned with Graviton brokers + tiered storage + 5 consumer groups
  3. Kinesis on-demand mode with 5 Lambda consumers
  4. 5 separate Kinesis streams (one per consumer)
Show Answer

Answer: B — At 500 MB/s, MSK with provisioned Graviton brokers is significantly more cost-effective than Kinesis (which would need 500+ shards at $0.015/hr each = $2,700/month just for shards). MSK consumer groups allow unlimited independent consumers at no additional per-consumer cost. Tiered storage provides 30-day retention cheaply by moving older data to S3-backed storage.

Question 5:

A team uses Kinesis Data Streams but finds that one consumer (analytics) is falling behind because the shared shard read limit (2MB/s) is consumed by another faster consumer (alerting). How should they fix this without increasing shards?

  1. Increase the consumer’s batch size
  2. Register the analytics consumer as an Enhanced Fan-Out (EFO) consumer
  3. Move the analytics consumer to a separate Kinesis stream
  4. Switch to MSK for consumer group isolation
Show Answer

Answer: B — Enhanced Fan-Out (EFO) provides each registered consumer a dedicated 2MB/s throughput per shard, independent of other consumers. The alerting consumer and analytics consumer no longer share read bandwidth. EFO uses push delivery (SubscribeToShard) instead of polling, also reducing latency to ~70ms.

Related Architecture Patterns

Related Posts

References

Frequently Asked Questions

Can I use Kinesis with existing Kafka consumers?

Not directly — Kinesis uses a proprietary API (AWS SDK / KCL), not the Kafka protocol. If you have existing Kafka consumers, MSK allows them to work with zero changes. To use Kinesis, you’d need to rewrite consumers using the KCL or Lambda event source mapping.

What is MSK Serverless vs MSK Provisioned?

MSK Serverless auto-scales partitions and throughput — no broker management, pay per data. MSK Provisioned gives you dedicated broker instances (you choose types, scaling is manual). Serverless is simpler; Provisioned is cheaper at high sustained throughput and gives more configuration control.

When should I use Managed Flink instead of Lambda for stream processing?

Use Lambda for simple, stateless per-record transformations (filter, enrich, route). Use Managed Flink for complex stateful processing: windowed aggregations, joins across streams, pattern detection, CEP (Complex Event Processing). Flink maintains state across records; Lambda processes each batch independently.

AWS SNS vs SQS vs EventBridge – When to Use Each (Comparison Guide)

SNS vs SQS vs EventBridge — Overview

AWS offers three core messaging/eventing services that are often confused. Each serves a distinct purpose: SQS for queuing (point-to-point buffering), SNS for pub/sub (fan-out notifications), and EventBridge for event routing (content-based filtering from many sources). Choosing the right one — or combining them — is a frequent SAP-C02 and DOP-C02 exam question.

SNS vs SQS vs EventBridge — When to Use Each
Amazon SQS
Queue (Point-to-Point)
Producer → Queue → 1 Consumer
Buffering & decoupling
Consumer pulls at own pace
Retry with visibility timeout
DLQ for failed messages
Use: Decouple, buffer, load level
Amazon SNS
Pub/Sub (Fan-out)
Publisher → Topic → N Subscribers
Push-based delivery
Multiple protocols (SQS, Lambda, HTTP, Email, SMS)
Message filtering (attribute-based)
FIFO topics (ordering)
Use: Fan-out, notify many
Amazon EventBridge
Event Bus (Content Router)
Many Sources → Bus → Rules → Targets
Content-based filtering (any field)
Schema registry & discovery
Archive & replay events
35+ AWS sources + SaaS
Use: Route, filter, integrate
Common combo: EventBridge (route by content) → SNS (fan-out) → SQS (buffer per consumer) → Lambda (process)

Feature Comparison

Feature SQS SNS EventBridge
Model Queue (pull) Pub/Sub (push) Event bus (push)
Consumers 1 consumer per message Multiple subscribers Multiple targets per rule
Filtering None (consumer gets all) Message attributes only Any field in event body (content-based)
Ordering FIFO queues (per message group) FIFO topics Not guaranteed
Deduplication FIFO (5-min window) FIFO topics Not built-in
Retry/DLQ Built-in (visibility timeout + DLQ) DLQ per subscription DLQ + retry policy per target
Persistence Up to 14 days No persistence (deliver or lose) Archive (indefinite) + replay
Max message size 256 KB (extended: 2 GB via S3) 256 KB 256 KB
Throughput Unlimited (Standard) / 3K-70K msg/s (FIFO) Virtually unlimited 2,400 PutEvents/s (soft limit)
AWS sources Limited (must send explicitly) Some (S3, CloudWatch) 35+ native sources + SaaS partners
Cross-account Queue policy Topic policy Cross-account event bus + rules

Decision Guide — When to Use Which

Requirement Choose Why
Buffer messages between producer and consumer SQS Queue absorbs spikes, consumer processes at own pace
One event must trigger multiple independent consumers SNS (or SNS+SQS) Fan-out to many subscribers simultaneously
Route different events to different targets by content EventBridge Content-based rules filter on any field
React to AWS service events (EC2 state change, S3 upload) EventBridge Native integration with 35+ AWS services
Exactly-once processing with strict ordering SQS FIFO Message groups + deduplication IDs
Send notifications (email, SMS, HTTP) SNS Multi-protocol delivery (email, SMS, HTTP, mobile push)
Replay past events after fixing a bug EventBridge Archive + replay feature (SNS/SQS don’t have this)
Integrate with SaaS (Shopify, Zendesk, Stripe) EventBridge Partner event sources built-in
Fan-out + buffering per consumer (reliable) SNS + SQS SNS fans out, each SQS queue gives independent retry/DLQ

Common Architecture Patterns

Pattern 1: SNS + SQS Fan-out (Most Common)

One event → multiple independent processors, each with their own retry and failure handling.

  • Flow: Order Service → SNS Topic → SQS-Inventory + SQS-Email + SQS-Analytics (each with Lambda consumer)
  • Why not just SNS → Lambda directly? SQS adds buffering, retry with backoff, DLQ, and prevents Lambda throttling from affecting other consumers.

Pattern 2: EventBridge + SNS + SQS (Full Decoupling)

Many producers → EventBridge routes by type → SNS fans out → SQS buffers each consumer.

  • Flow: 10 microservices emit events → EventBridge (rules filter by event type) → SNS per domain → SQS per consumer
  • Why: Producers don’t know about consumers. New consumers subscribe without changing producers.

Pattern 3: SQS as Lambda Buffer (Load Leveling)

Protect downstream from traffic spikes.

  • Flow: API Gateway → SQS → Lambda (controlled concurrency)
  • Why: API Gateway has unlimited throughput but Lambda has concurrency limits. SQS absorbs spikes and Lambda processes at a controlled rate.

Pattern 4: EventBridge for AWS Service Events

React to infrastructure changes automatically.

  • Flow: EC2 instance terminates → EventBridge rule → Lambda (cleanup DNS/LB) + SNS (alert ops team)
  • Why: EventBridge receives AWS service events natively without any configuration on the source side.

Pricing Comparison

Service Pricing Model Approximate Cost
SQS Standard Per request (send/receive/delete) $0.40 per million requests (first 1M free)
SQS FIFO Per request $0.50 per million requests
SNS Per publish + per delivery $0.50 per million publishes + delivery cost varies by protocol
EventBridge Per event published $1.00 per million events (custom). AWS service events are free.

Cost tip: AWS service events on EventBridge (EC2 state changes, S3 events via EventBridge, etc.) are FREE. Only custom/partner events incur the $1/M charge.

Exam Tips

Exam Key Points
SAP-C02 “Decouple” → SQS. “Fan-out” → SNS. “Route by content” → EventBridge. “React to AWS events” → EventBridge. SNS+SQS for reliable fan-out with independent retry per consumer.
DOP-C02 DLQ configuration (SQS maxReceiveCount), EventBridge archive for recovery, Lambda event source mappings (SQS batch size, concurrency), monitoring failed deliveries.

AWS Certification Exam Practice Questions

Question 1:

An order processing system needs to trigger three downstream services (inventory, billing, shipping) independently. If billing fails, inventory and shipping should still succeed. Each service needs its own retry logic. Which architecture is BEST?

  1. SNS topic → 3 Lambda subscribers directly
  2. SNS topic → 3 SQS queues (each with own Lambda consumer and DLQ)
  3. EventBridge → 3 Lambda targets on one rule
  4. SQS queue → Lambda → calls 3 services sequentially
Show Answer

Answer: B — SNS+SQS fan-out provides complete independence. Each SQS queue has its own visibility timeout, retry policy, and DLQ. If billing Lambda fails 3 times, that message goes to billing’s DLQ while inventory and shipping process normally. Direct SNS→Lambda risks throttling affecting all subscribers, and has no persistent retry mechanism.

Question 2:

A company receives events from 15 microservices. They need to route “payment” events to the payment processor, “inventory” events to the warehouse system, and “audit” events to the compliance system — based on an “event_type” field in the JSON body. Which service provides this content-based routing?

  1. SNS with message attribute filter policies
  2. SQS with multiple queues and client-side routing
  3. EventBridge with rules filtering on event body content
  4. Kinesis with partition key-based routing
Show Answer

Answer: C — EventBridge rules can filter on any field within the event JSON body (content-based routing). A rule can match {“detail”: {“event_type”: [“payment”]}} and route only payment events to the payment processor target. SNS filter policies only work on message attributes (metadata), not the message body content.

Question 3:

A bug in a consumer caused it to silently discard events for 6 hours before being discovered. The events were published to SNS. Can they be recovered?

  1. Yes — replay from SNS message retention
  2. Yes — if the SQS subscriber had a DLQ configured
  3. No — SNS does not persist messages; once delivered they are gone
  4. Yes — retrieve from CloudWatch Logs
Show Answer

Answer: C — SNS is fire-and-forget; it doesn’t retain messages after delivery attempts. If the consumer discarded them (successfully received but didn’t process), they’re lost. This is why EventBridge Archive is valuable — it stores events for replay. For SNS-based systems, use SNS→SQS (messages persist up to 14 days in the queue) rather than SNS→Lambda directly.

Question 4:

A company wants to trigger a Lambda function when ANY EC2 instance in their account changes state (running, stopped, terminated). They want this with zero custom code on the producer side. Which approach works?

  1. CloudWatch Events (same as EventBridge) rule for EC2 state change → Lambda target
  2. SNS topic that EC2 publishes to on state change → Lambda subscription
  3. SQS queue polled by Lambda checking EC2 DescribeInstances
  4. CloudTrail log with S3 event notification triggering Lambda
Show Answer

Answer: A — EventBridge (successor to CloudWatch Events) natively receives EC2 state change events without any configuration on the EC2 side. You simply create a rule matching {“source”: [“aws.ec2”], “detail-type”: [“EC2 Instance State-change Notification”]} → Lambda target. Zero custom code, no producer changes needed. This is EventBridge’s core advantage — native AWS service integration.

Question 5:

A team uses SNS to fan out order events to 5 subscribers. One subscriber (analytics) only needs “premium” orders (order_value > $100). Currently it receives ALL orders and filters client-side, wasting Lambda invocations. How should they reduce unnecessary invocations?

  1. Create a separate SNS topic for premium orders
  2. Add an SNS subscription filter policy matching the “order_tier” message attribute = “premium”
  3. Replace SNS with EventBridge and use content-based filtering on order_value
  4. Add a Lambda@Edge function to filter before delivery
Show Answer

Answer: B — SNS subscription filter policies allow each subscriber to receive only messages matching specific message attributes. Set the “order_tier” attribute when publishing, and the analytics subscription filter policy matches only “premium”. Non-matching messages are not delivered to that subscriber. This is the simplest solution with no architecture change. EventBridge would also work but is a larger change for a single filter need.

Related Architecture Patterns

Related Posts

References

Frequently Asked Questions

When should I use EventBridge vs SNS?

Use EventBridge when you need content-based filtering on the event body, integration with AWS service events or SaaS partners, schema discovery, or event replay. Use SNS for simple fan-out where attribute-based filtering is sufficient, multi-protocol delivery (email, SMS), or when you need FIFO ordering with topics.

Can I use SQS without SNS?

Yes. Use SQS alone when you have a single producer and single consumer (point-to-point). The producer sends directly to the queue, and one consumer processes messages. Add SNS in front only when you need the same message delivered to multiple independent consumers (fan-out).

What happens if an SNS subscriber is down?

For Lambda/HTTP subscribers: SNS retries with backoff (up to 23 days for HTTP). For SQS subscribers: messages are delivered to the SQS queue immediately (SQS is always “up”) and wait until the consumer processes them. This is why SNS→SQS is more reliable than SNS→Lambda directly — SQS persists messages even if the consumer is temporarily unavailable.

AWS Database Migration Architecture – DMS, SCT & Strategies

AWS Database Migration Architecture — Overview

Database migration is one of the most common workload migration patterns on AWS. The architecture combines AWS Database Migration Service (DMS) for data replication, AWS Schema Conversion Tool (SCT) for schema transformation, and various strategies depending on source/target compatibility and downtime tolerance. This is a core topic for SAP-C02 (migration scenarios) and DOP-C02 (automation).

AWS Database Migration Architecture
SOURCE
Oracle / SQL Server
MySQL / PostgreSQL
MongoDB / SAP
On-prem or other cloud
SCT
Schema Conversion
Assessment Report
Code Migration
(heterogeneous only)
DMS
Replication Instance
Full Load (initial)
+ CDC (ongoing changes)
Validation & Monitoring
TARGET
Aurora / RDS
DynamoDB / Redshift
S3 (Data Lake)
OpenSearch / Neptune
Homogeneous
Same engine (MySQL→Aurora MySQL)
No SCT needed, DMS only
Heterogeneous
Different engine (Oracle→Aurora PostgreSQL)
SCT + DMS required
Large Scale (TB+)
Snowball Edge + DMS CDC
or Direct Connect bulk transfer

AWS Database Migration Service (DMS)

DMS replicates data from source to target with minimal downtime. It runs on a managed replication instance in your VPC.

How DMS Works

  1. Full Load: Migrates all existing data from source tables to target tables
  2. Change Data Capture (CDC): Continuously replicates ongoing changes (inserts, updates, deletes) after full load completes
  3. Full Load + CDC: Combines both — migrates existing data, then keeps target in sync until cutover

DMS Components

Component Role Key Decisions
Replication Instance Managed EC2 that runs migration tasks Size based on data volume + number of tables. Multi-AZ for HA.
Source Endpoint Connection to source database Requires read access + CDC permissions (binary log for MySQL, LogMiner for Oracle)
Target Endpoint Connection to target database/service Requires write access. Target can be RDS, Aurora, DynamoDB, S3, Redshift, etc.
Migration Task Defines what to migrate and how Table mappings, transformation rules, LOB settings, validation
Table Mappings Select/filter/transform tables and columns Include/exclude rules, column renaming, schema renaming

Supported Sources and Targets

Sources Targets
Oracle, SQL Server, MySQL, MariaDB, PostgreSQL, MongoDB, SAP ASE, IBM Db2, Azure SQL, Amazon RDS (all engines), Amazon Aurora, Amazon S3 Amazon RDS (all engines), Amazon Aurora, Amazon Redshift, Amazon DynamoDB, Amazon S3, Amazon OpenSearch, Amazon Neptune, Amazon Kinesis, Apache Kafka, Amazon DocumentDB

AWS Schema Conversion Tool (SCT)

SCT converts database schemas and code from one engine to another (heterogeneous migrations only):

  • Schema conversion: Tables, indexes, views, constraints → target engine syntax
  • Code conversion: Stored procedures, functions, triggers → target equivalent
  • Assessment Report: Identifies what can be auto-converted vs what needs manual effort (red/yellow/green)
  • Data Extraction Agents: For large-scale migrations, SCT agents extract data in parallel to S3, then load into target

Not needed for homogeneous migrations (e.g., MySQL → Aurora MySQL) since the schema is compatible.

Migration Strategies (The 7 Rs)

Strategy What It Means Database Example
Rehost (Lift & Shift) Move as-is to AWS with no changes Oracle on-prem → Oracle on EC2
Replatform Move with minor optimizations MySQL on-prem → RDS MySQL (managed, same engine)
Refactor Change engine/architecture for cloud-native benefits Oracle → Aurora PostgreSQL (heterogeneous, use SCT+DMS)
Repurchase Move to a different product entirely On-prem CRM database → Salesforce (SaaS)
Retire Decommission — no longer needed Legacy reporting DB replaced by Athena on S3
Retain Keep on-premises (not ready/suitable for cloud) Mainframe DB with too many dependencies
Relocate Move infrastructure (VMware) without changes VMware VMs → VMware Cloud on AWS

Zero-Downtime Migration Pattern

  1. Provision target — Create Aurora/RDS in target region/account
  2. SCT (if heterogeneous) — Convert and apply schema to target
  3. DMS Full Load + CDC — Start migration task: initial load + ongoing replication
  4. Validation — Enable DMS data validation to compare source vs target row counts and checksums
  5. Application testing — Point test/staging app at target DB, validate functionality
  6. Cutover — Stop writes to source → Wait for CDC to catch up (seconds) → Redirect application to target
  7. Decommission — Monitor target, then retire source after confidence period

Downtime: Only during step 6 (seconds to minutes — time for last CDC events to apply + DNS/connection string update).

Large-Scale Migration (TB to PB)

  • Problem: Migrating 50TB+ over network takes weeks even on Direct Connect
  • Solution: AWS Snowball Edge for initial bulk transfer + DMS CDC for changes during transit
  • Pattern: Start CDC from Day 1 → Ship Snowball (days) → Load Snowball data to target → Apply accumulated CDC → Cutover
  • Alternative: SCT Data Extraction Agents — parallel extraction to S3 via Direct Connect, then load to target

Target Database Selection

Workload Target Why
OLTP (same engine, managed) Amazon RDS Same engine, minimal changes, managed infrastructure
OLTP (high performance, scaling) Amazon Aurora 5x MySQL / 3x PostgreSQL perf, auto-scaling storage, Global Database
Key-value / high scale NoSQL DynamoDB Single-digit ms latency, unlimited scale, serverless
Analytics / Data Warehouse Amazon Redshift Columnar, MPP, petabyte-scale analytical queries
Data Lake / Archive Amazon S3 Cheapest storage, query with Athena, feed ML pipelines
Search / Log Analytics OpenSearch Full-text search, log analytics, dashboards

Exam Tips by Certification

Exam Focus Areas
SAP-C02 7Rs strategy selection, DMS+CDC for zero-downtime, SCT for heterogeneous, Snowball+DMS for large scale, target DB selection based on workload, multi-account migration patterns
DOP-C02 Automating migration with DMS tasks, CDC monitoring, validation configuration, migration testing in CI/CD, rollback planning

AWS Certification Exam Practice Questions

Question 1:

A company needs to migrate a 10TB Oracle database to Aurora PostgreSQL with less than 1 hour of downtime. The application must continue running during migration. Which approach achieves this?

  1. Use AWS SCT to convert schema, then pg_dump/pg_restore for data
  2. Use AWS SCT for schema + DMS with Full Load and CDC, then cutover after CDC catches up
  3. Create an Oracle RDS instance first, then use Aurora read replica promotion
  4. Use AWS Snowball Edge to transfer the data, then apply schema with SCT
Show Answer

Answer: B — For heterogeneous migration (Oracle → Aurora PostgreSQL) with minimal downtime: SCT converts the schema, DMS performs Full Load of existing data while application continues running, then CDC captures all changes made during migration. At cutover, stop application writes, wait for CDC to apply final changes (seconds), redirect to Aurora. Downtime is only the cutover window (minutes).

Question 2:

A company has a 50TB data warehouse they want to migrate to AWS. Network bandwidth to AWS is 1 Gbps (would take ~5 days for full transfer). They need the target ready within 2 weeks and cannot tolerate data loss. What is the MOST efficient approach?

  1. DMS Full Load over Direct Connect for 5 days, then CDC
  2. AWS Snowball Edge for bulk data + DMS CDC running in parallel from Day 1
  3. S3 Transfer Acceleration for faster upload
  4. Multiple DMS replication instances in parallel
Show Answer

Answer: B — Start DMS CDC immediately to capture all ongoing changes. Simultaneously, load the bulk 50TB onto Snowball Edge (1-2 days to load). Ship Snowball to AWS (~5 days transit). Import Snowball data to S3/target. Apply accumulated CDC changes from the past week. This approach handles both the bandwidth constraint and zero data loss requirement. DMS alone over 1 Gbps would work but Snowball is more efficient for 50TB.

Question 3:

A company is migrating from Oracle to Aurora PostgreSQL. The SCT assessment report shows 60% of stored procedures can be auto-converted, but 40% require manual intervention. The migration has a 3-month deadline. What should they prioritize?

  1. Rewrite all stored procedures in the application layer and remove database logic
  2. Convert the 60% automatically with SCT, manually convert the critical 40%, begin DMS replication in parallel
  3. Stay on Oracle and rehost to Oracle on EC2 instead
  4. Use AWS Lambda to emulate Oracle stored procedures
Show Answer

Answer: B — The practical approach: auto-convert what SCT can handle (60%), then dedicate developer effort to the remaining 40% (prioritize by business criticality). Start DMS replication in parallel so data is ready when code conversion completes. This maximizes the 3-month timeline by parallelizing schema/code work with data replication.

Question 4:

After starting a DMS migration task, a company notices some tables have row count mismatches between source and target. What DMS feature helps identify and resolve this?

  1. CloudWatch metrics for table statistics
  2. DMS data validation (automatic source-target comparison)
  3. DMS premigration assessment
  4. AWS Config compliance rules
Show Answer

Answer: B — DMS data validation compares row counts, data content, and checksums between source and target during and after migration. It identifies mismatched records and reports them in a validation table. You can then investigate and remediate specific rows. Pre-migration assessment checks connectivity and permissions before starting, not data accuracy.

Question 5:

A company wants to migrate their on-premises MySQL database to RDS MySQL. The source and target use the same engine version. What is the SIMPLEST migration approach?

  1. SCT for schema conversion + DMS for data migration
  2. DMS only (Full Load + CDC) — no SCT needed for homogeneous migration
  3. mysqldump export → S3 → RDS import
  4. Create RDS read replica from on-premises using binary log replication
Show Answer

Answer: B — Homogeneous migrations (same engine) don’t require SCT because the schema is already compatible. DMS handles both schema creation on target and data replication. Full Load + CDC provides minimal-downtime migration. mysqldump works but requires downtime during export/import. RDS external replication also works but DMS is the managed, recommended approach.

Related Architecture Patterns

Related Posts

References

Frequently Asked Questions

What is the difference between DMS and SCT?

DMS migrates the data (rows) from source to target with optional ongoing replication (CDC). SCT converts the schema and code (stored procedures, functions, triggers) from one database engine to another. For homogeneous migrations (same engine), only DMS is needed. For heterogeneous migrations (different engines), both SCT and DMS are required.

Can DMS migrate to a different AWS region?

Yes. DMS supports cross-region migration. The replication instance can be in either the source or target region. For on-premises to AWS, place the replication instance in the target region. For cross-region AWS migrations, place it in the target region for better performance (closer to where data is written).

How do I achieve zero-downtime migration?

Use DMS Full Load + CDC: the full load migrates existing data while the application continues running. CDC captures all changes made during migration. At cutover, briefly stop application writes (seconds), wait for CDC to apply final changes, then redirect the application to the new target. Total downtime: seconds to minutes.

AWS Architecture Patterns – Reference Diagrams for Certification Exams

AWS Architecture Patterns — Reference Diagrams for Certification

58 architecture pattern posts covering all 12 AWS certification exams. Each post includes HTML/CSS diagrams, comparison tables, design decisions, exam tips, and 5 practice questions with expandable answers.

🏗️ Core Architecture Patterns (SAP-C02 / SAA-C03)

Architecture Key Services
Three-Tier Web & Caching ALB, ASG, ElastiCache, DAX, RDS Proxy
Serverless API Architecture API Gateway, Lambda, DynamoDB, Cognito
Event-Driven Serverless EventBridge, SQS, SNS, Step Functions, Lambda
Container Platform (ECS/EKS/Fargate) ECS, EKS, Fargate, ECR, App Mesh
Multi-Region Active-Active Route 53, DynamoDB Global, Aurora Global
Disaster Recovery Backup, Pilot Light, Warm Standby, Multi-Site
Auto Scaling & Performance Target Tracking, Predictive, Warm Pools
Cost Optimization Savings Plans, Spot, Right-Sizing, Tiering

🌐 Networking (ANS-C01 / SAP-C02)

Architecture Key Services
VPC Connectivity Decision Guide Peering, TGW, PrivateLink, VPC Sharing
Hybrid Cloud Networking Direct Connect, VPN, Transit Gateway
Direct Connect Deep Dive DX Gateway, LAG, Resiliency Patterns
Global Traffic Management Route 53, Global Accelerator, CloudFront
Route 53 Resolver & Hybrid DNS Resolver Endpoints, DNSSEC, Split-Horizon
ALB vs NLB vs GWLB Load Balancer Decision Guide
VPC Advanced (CIDR, ENI, IPv6) Secondary CIDRs, Prefix Lists, IPv6
Network Performance ENA, EFA, Jumbo Frames, Placement Groups

🔒 Security (SCS-C03 / SAP-C02)

Architecture Key Services
IAM Security (SCPs, Boundaries, ABAC) IAM, Organizations, Verified Permissions
Data Encryption (KMS vs CloudHSM) KMS, CloudHSM, Key Policies, Rotation
Centralized Logging CloudTrail, Security Lake, SIEM
DDoS & Edge Protection WAF, Shield, CloudFront, Firewall Manager
Incident Response Forensics, Containment, Detective
Secrets & Certificate Management Secrets Manager, ACM, mTLS
Zero Trust Architecture Verified Access, VPC Lattice
Network Firewall & Inspection Network Firewall, GWLB, Traffic Mirroring
Federation & SSO Identity Center, Cognito, SAML/OIDC
Security Services GuardDuty, Security Hub, Inspector
Config vs CloudTrail vs CloudWatch Detection & Monitoring Compared
Multi-Account Governance Organizations, Control Tower, SCPs

🤖 AI/ML & GenAI (AIP-C01 / AIF-C01 / MLA-C01)

Architecture Key Services
GenAI Architecture (Bedrock Overview) Bedrock, RAG, Agents, Guardrails
Agentic AI (Agents, MCP, Multi-Agent) Bedrock Agents, Strands SDK, MCP
RAG Architecture (Basics) Bedrock Knowledge Bases
RAG Advanced (Vector DB, Hybrid Search) OpenSearch, pgvector, Reranking
GenAI Cost & Performance Tokens, Caching, Model Routing
GenAI Observability & Evaluation LLM-as-Judge, CloudWatch, X-Ray
GenAI Security & Guardrails PII, Prompt Injection, VPC Isolation
Bedrock vs SageMaker Decision Guide
MLOps Pipeline SageMaker, Model Registry, Endpoints
Prompt Engineering Techniques & Best Practices
Responsible AI Guardrails, Governance, Bias
AI Services Decision Guide Rekognition, Comprehend, Transcribe, etc.

📊 Data & Analytics (DAS-C01 / DEA-C01 / DBS-C01)

Architecture Key Services
Data Lake & Analytics S3, Glue, Athena, Lake Formation
Glue ETL & Data Pipeline Glue Jobs, Catalog, Crawlers, DQ
EMR & Spark Architecture EMR, Spark, EMRFS, EMR Serverless
Kinesis vs MSK Streaming Kinesis, MSK, Firehose, Flink
RDS & Aurora Performance Read Replicas, Proxy, Global, Insights
DynamoDB Advanced Streams, Global Tables, TTL, Capacity
Database Migration (DMS/SCT) DMS, SCT, Migration Patterns
SNS vs SQS vs EventBridge Messaging Comparison

⚙️ DevOps & Operations (DOP-C02 / SOA-C03)

Architecture Key Services
CI/CD Pipeline CodePipeline, CodeBuild, CodeDeploy
CloudFormation Advanced StackSets, Drift, Custom Resources, Guard
Systems Manager Operations Patch Manager, Session Manager, Automation

🚀 Migration & Storage (SAP-C02 / SAA-C03)

Architecture Key Services
Migration Architecture (7Rs) Migration Hub, MGN, DMS, Snow
Storage Gateway vs DataSync vs Snow Hybrid Data Transfer Decision
EFS vs FSx Decision Guide Shared File Storage Comparison

AWS Container Platform Architecture – ECS, EKS, Fargate & Production Patterns

AWS Container Platform Architecture — Overview

Containers are the standard deployment unit for microservices on AWS. The platform spans image management (ECR), orchestration (ECS/EKS), compute (Fargate/EC2), networking (ALB/NLB/Service Connect), and observability (Container Insights/X-Ray). This architecture is heavily tested on DOP-C02 (deployment and operations) and SAP-C02 (architectural decisions).

AWS Container Platform — Production Architecture
IMAGE
ECR
Image scanning
Lifecycle policies
Cross-region replication
ORCHESTRATION
ECS
AWS-native
Task Definitions
Services
EKS
Kubernetes
Pods / Deployments
Helm / Operators
COMPUTE
Fargate
Serverless
No nodes
EC2
Full control
GPU/Spot
NETWORKING
ALB / NLB (ingress)
Service Connect / Cloud Map
VPC Lattice (cross-account)
App Mesh (service mesh)
OBSERVABILITY
Container Insights (metrics)
X-Ray (distributed tracing)
FireLens (log routing)
Prometheus + Grafana (EKS)
SECURITY
ECR image scan (Inspector)
Task/Pod IAM roles
Secrets Manager injection
GuardDuty (EKS runtime)
DEPLOYMENT
Blue/Green (CodeDeploy)
Rolling update
Canary (weighted TG)
ArgoCD / Flux (EKS)

ECS vs EKS — Decision Guide

Factor ECS EKS
Complexity Simpler — AWS-native, less operational overhead More complex — full Kubernetes with ecosystem tooling
Portability AWS-only (proprietary API) Portable — run same manifests on any K8s (on-prem, GKE, AKS)
Ecosystem AWS integrations (CodeDeploy, Service Connect) Rich K8s ecosystem (Helm, Istio, ArgoCD, Prometheus, OPA)
Scaling ECS Service Auto Scaling (simple) HPA + Karpenter/Cluster Autoscaler (more flexible)
Networking awsvpc mode (ENI per task), Service Connect VPC-CNI (pod IPs from VPC), Ingress controllers, Service mesh
Cost No control plane fee $0.10/hr per cluster ($73/month) + node costs
Choose when AWS-only shop, want simplicity, small-medium team Multi-cloud/hybrid, K8s expertise, need ecosystem tools, regulatory portability

Compute — Fargate vs EC2

Factor Fargate EC2
Management No nodes — fully serverless, AWS manages infrastructure You manage nodes — patching, AMIs, capacity
Scaling Scales per-task instantly (no node provisioning) Requires node scaling (ASG or Karpenter) — takes 1-2 min
Cost model Pay per vCPU/GB per second (no idle node cost) Pay per instance-hour (can use Spot/RI for 50-70% savings)
GPU support Not supported Full GPU instance support (P4, G5, Inf2)
Storage Ephemeral (20GB default, up to 200GB) + EFS Full EBS, instance store, EFS, FSx
Best for Variable workloads, small-medium tasks, no-ops teams Predictable high-volume, GPU/ML, DaemonSets, privileged containers

Cost Decision Rule of Thumb

  • Fargate cheaper when: Utilization is <50% (bursty workloads, dev/test, batch jobs)
  • EC2 cheaper when: Utilization is >50% consistently (use Reserved Instances or Savings Plans + Spot for non-critical)
  • Mixed strategy: Fargate for baseline + EC2 Spot capacity providers for spikes

Networking Patterns

Ingress (North-South)

  • ALB: Layer 7 — path/host routing, gRPC, WebSocket, authentication integration. Best for HTTP/HTTPS microservices.
  • NLB: Layer 4 — ultra-low latency, static IPs, TCP/UDP. Best for non-HTTP protocols, high throughput.
  • API Gateway: For serverless-first architectures integrating with containers via VPC Link → NLB → ECS/EKS.

Service Discovery (East-West)

Option How Best For
ECS Service Connect Envoy sidecar auto-injected, namespace-based DNS ECS service-to-service with traffic management
Cloud Map DNS-based or API-based service registry Simple DNS discovery without service mesh overhead
VPC Lattice Managed L7 networking with IAM auth, cross-account Cross-VPC/cross-account service communication with Zero Trust
Kubernetes Service/Ingress Native K8s DNS (CoreDNS) + Ingress controllers EKS-native service discovery within cluster

Auto-Scaling

ECS Scaling

  • Service Auto Scaling: Target tracking (CPU/Memory utilization), step scaling, or scheduled scaling on desired task count
  • Capacity Providers: ECS manages EC2 ASG capacity automatically — scales nodes when tasks need capacity
  • Fargate: No node scaling needed — each task gets its own compute instantly

EKS Scaling

  • Horizontal Pod Autoscaler (HPA): Scales pod replicas based on CPU/memory/custom metrics
  • Karpenter: Provisions optimal EC2 nodes in seconds based on pending pod requirements (replaces Cluster Autoscaler)
  • KEDA: Event-driven scaling (scale on SQS queue depth, Kafka lag, custom metrics)
  • Fargate on EKS: Pods run serverless — no node scaling, instant per-pod provisioning

Deployment Strategies

Strategy ECS EKS
Rolling Default — replace tasks gradually (minHealthy/maxPercent) Default K8s Deployment strategy (maxSurge/maxUnavailable)
Blue/Green CodeDeploy — new task set + ALB target group switch ArgoCD Rollouts or Flagger with Ingress/Service mesh
Canary CodeDeploy Canary (% traffic to new for X minutes) Flagger/ArgoCD Rollouts with progressive traffic shifting
GitOps Not native (use CodePipeline) ArgoCD / Flux — Git as source of truth, auto-sync

Security

Layer ECS EKS
Image security ECR image scanning (Inspector), lifecycle policies, immutable tags, signing with Notation
IAM Task Role (per-task IAM credentials via credential provider) IAM Roles for Service Accounts (IRSA) or Pod Identity — per-pod credentials
Secrets Secrets Manager / Parameter Store → injected as env vars or mounted Secrets Store CSI Driver → mounts AWS Secrets as K8s volumes
Network policy Security Groups per task (awsvpc mode) K8s Network Policies (Calico) + Security Groups for Pods
Runtime security GuardDuty ECS Runtime Monitoring GuardDuty EKS Runtime Monitoring + EKS audit log monitoring

Observability Stack

  • Container Insights: CPU, memory, network, disk metrics per task/pod + cluster-level dashboards (CloudWatch)
  • X-Ray: Distributed tracing across services — inject X-Ray daemon as sidecar or use ADOT (OpenTelemetry)
  • FireLens: ECS log router (Fluent Bit sidecar) — route logs to CloudWatch, S3, OpenSearch, Datadog, Splunk
  • Prometheus + Grafana: Native for EKS — Amazon Managed Prometheus (AMP) + Amazon Managed Grafana (AMG)
  • EKS audit logs: Control plane API audit logs → CloudWatch Logs (detect unauthorized access attempts)

Exam Tips by Certification

Exam Focus Areas
DOP-C02 ECS Blue/Green with CodeDeploy, Fargate vs EC2 decision, capacity providers, auto-scaling configuration, FireLens log routing, image scanning in CI/CD pipeline
SAP-C02 ECS vs EKS selection criteria, Fargate cost optimization, multi-account container deployment, Service Connect vs VPC Lattice, migration from on-prem K8s to EKS

AWS Certification Exam Practice Questions

Question 1:

A company runs 50 microservices on EKS. Their cluster nodes are often under-utilized (30% average CPU) because the Cluster Autoscaler provisions nodes too conservatively. They want faster scaling with better bin-packing. What should they use?

  1. Increase HPA target utilization from 50% to 80%
  2. Replace Cluster Autoscaler with Karpenter
  3. Switch all workloads to Fargate
  4. Use larger EC2 instance types for better packing
Show Answer

Answer: B – Karpenter provisions nodes in seconds (vs minutes for Cluster Autoscaler), selects optimal instance types based on pending pod requirements, and consolidates under-utilized nodes automatically. It provides better bin-packing by choosing right-sized instances and removes nodes when pods can be consolidated elsewhere.

Question 2:

An ECS service needs to connect to other ECS services by name (e.g., http://payment-service:8080) with automatic load balancing, health checking, and traffic metrics — without managing an ALB for each internal service. Which feature provides this?

  1. Cloud Map DNS-based discovery
  2. ECS Service Connect
  3. VPC Lattice
  4. Application Load Balancer with multiple target groups
Show Answer

Answer: B – ECS Service Connect provides namespace-based DNS discovery with an auto-injected Envoy sidecar that handles load balancing, health checking, retries, and traffic metrics between ECS services. It’s simpler than managing per-service ALBs and provides built-in observability. Cloud Map is DNS-only without the traffic management features.

Question 3:

An EKS pod needs to access an S3 bucket and DynamoDB table. The security team requires that ONLY this specific pod gets these permissions — not other pods on the same node. What is the recommended approach?

  1. Attach the permissions to the node’s EC2 instance profile
  2. Use IAM Roles for Service Accounts (IRSA) or EKS Pod Identity
  3. Store access keys as K8s secrets and mount in the pod
  4. Use a VPC endpoint policy to restrict access to this pod’s security group
Show Answer

Answer: B – IRSA (or the newer EKS Pod Identity) associates an IAM role with a specific Kubernetes service account. Only pods using that service account get those credentials. Other pods on the same node don’t have access. Instance profiles grant permissions to ALL pods on a node (violates least privilege). Access keys are long-term credentials (anti-pattern).

Question 4:

A company wants zero-downtime deployments for their ECS Fargate service with the ability to instantly roll back if health checks fail. The deployment should create a new task set, validate it, then switch traffic. Which configuration achieves this?

  1. ECS rolling update with minimumHealthyPercent=100, maximumPercent=200
  2. CodeDeploy Blue/Green deployment with ECS, ALB listener rules, and CloudWatch alarm-based rollback
  3. Manual task count adjustment — double tasks, then drain old
  4. ECS service with multiple task definitions running simultaneously
Show Answer

Answer: B – CodeDeploy Blue/Green creates a new task set (green), registers it with a test ALB listener for validation, then switches the production listener from old (blue) to new (green). If CloudWatch alarms fire during the switch window, CodeDeploy instantly reroutes traffic back to blue. The old task set is drained after a configurable wait period.

Question 5:

A startup runs a variable workload on ECS — 2 tasks during business hours and 0 tasks at night. They want minimum cost with no node management overhead. On weekdays, tasks need to scale up to 20 within seconds during marketing campaigns. Which configuration fits?

  1. EC2 launch type with Reserved Instances and an ASG scheduled action
  2. Fargate launch type with ECS Service Auto Scaling (target tracking on CPU)
  3. EC2 Spot instances with capacity provider managed scaling
  4. Fargate Spot for all tasks to minimize cost
Show Answer

Answer: B – Fargate charges per-second with no idle cost (0 tasks at night = $0). It scales to 20 tasks instantly (no node provisioning delay). Target tracking auto-scaling adjusts task count based on CPU. No node management overhead. Fargate Spot could reduce costs further but risks interruptions during campaigns. For variable, scale-to-zero workloads, Fargate on-demand is optimal.

Related Architecture Patterns

Related Posts

References

📖 Related: Launch Template vs Launch Configuration

Frequently Asked Questions

Is Fargate always more expensive than EC2?

No. Fargate is cheaper for variable, bursty workloads with <50% average utilization because you pay nothing when tasks aren’t running. EC2 becomes cheaper at >50% sustained utilization, especially with Reserved Instances or Savings Plans. Most production workloads benefit from a mix: Fargate for base + EC2 Spot for peaks.

ECS vs EKS for a new project — which should I pick?

If your team has no Kubernetes experience and you’re AWS-only, choose ECS — less operational overhead, tighter AWS integration, no control plane cost. If you need Kubernetes portability, have K8s expertise, or want ecosystem tools (Helm, ArgoCD, Istio, OPA), choose EKS. Both support Fargate.

Can I run sidecars on Fargate?

Yes. ECS Fargate supports multiple containers per task definition (native sidecars with lifecycle dependencies since 2023). EKS Fargate also supports sidecar containers in pods. Common sidecars: Envoy (Service Connect), X-Ray daemon, Fluent Bit (logs), ADOT (OpenTelemetry).

AWS Data Lake & Analytics Architecture – Ingestion, Storage, Processing & Visualization

AWS Data Lake & Analytics Architecture — Overview

A data lake centralizes structured, semi-structured, and unstructured data in S3, enabling analytics at scale without upfront schema design. Combined with AWS analytics services, it forms a complete pipeline from ingestion through transformation to visualization. This architecture is critical for SAP-C02 (architectural decisions) and MLA-C01 (data preparation for ML).

AWS Data Lake & Analytics Pipeline
INGEST
Kinesis (streaming)
Glue (batch ETL)
DMS (databases)
AppFlow (SaaS)
Transfer Family
STORE
S3 (Data Lake)
Raw zone
Curated zone
Enriched zone
Parquet / Iceberg
CATALOG & GOVERN
Glue Data Catalog
Lake Formation
Row/Column ACLs
Tag-based access
Macie (PII)
PROCESS
Glue ETL (Spark)
EMR (Hadoop/Spark)
Athena (SQL)
Redshift Spectrum
Lambda (light)
ANALYZE & VISUALIZE
Athena (ad-hoc)
Redshift (warehouse)
QuickSight (BI)
OpenSearch (logs)
SageMaker (ML)
Governance
Lake Formation
Fine-grained permissions
Cross-account sharing
Security
KMS encryption
VPC endpoints
CloudTrail audit
Cost Optimization
S3 Intelligent-Tiering
Parquet/ORC columnar
Partitioning + compaction

Data Lake Zones

A well-designed data lake organizes data into zones (S3 prefixes) representing data maturity:

Zone Content Format Access
Raw (Landing) Exact copy of source data — immutable Original (JSON, CSV, logs, DB exports) Data engineers only
Curated (Cleansed) Validated, deduplicated, schema-conformed Columnar (Parquet/ORC), partitioned Data analysts, ML engineers
Enriched (Business) Aggregated, joined, business-ready datasets Parquet, Iceberg tables Business analysts, BI tools

Key principle: Raw zone is immutable — never modify source data. All transformations produce new objects in curated/enriched zones. This enables reprocessing if transformation logic changes.

Ingestion Layer

Service Type Use Case
Kinesis Data Streams Real-time streaming Clickstreams, IoT telemetry, application logs (sub-second)
Kinesis Data Firehose Near real-time delivery Stream directly to S3/Redshift/OpenSearch with auto-batching (60s-900s buffer)
AWS Glue (Crawlers + Jobs) Batch ETL Scheduled extraction from databases, APIs, file systems
AWS DMS Database migration/replication Ongoing CDC (Change Data Capture) from RDS/on-prem databases → S3
Amazon AppFlow SaaS integration Pull data from Salesforce, SAP, Google Analytics, Slack → S3
Transfer Family SFTP/FTPS/FTP Partner data feeds using legacy file transfer protocols → S3

Catalog & Governance — Lake Formation

AWS Lake Formation is the governance layer that sits on top of the Glue Data Catalog:

  • Glue Data Catalog: Central metadata repository — databases, tables, schemas, partitions (Hive metastore compatible)
  • Lake Formation Permissions: Fine-grained access control (row-level, column-level, cell-level filtering)
  • Tag-Based Access Control (TBAC): Assign tags to tables/columns (e.g., “PII=true”), grant access based on tags — scales across thousands of tables
  • Cross-account sharing: Share databases/tables with other AWS accounts via RAM or direct grant (no data copying)
  • Governed Tables: ACID transactions on S3 data (via Apache Iceberg integration)

Processing & Transformation

Service Best For Scale
Glue ETL Serverless Spark — schema evolution, dedup, format conversion, joins Auto-scaling DPUs, no cluster management
EMR Heavy big data processing — Spark, Hive, Presto, Flink on managed clusters PB-scale, custom libraries, spot instances for cost
Athena Interactive SQL on S3 — no infrastructure, pay per query Ad-hoc analysis, CTAS for transformations
Redshift Spectrum Query S3 data from Redshift (extend warehouse to lake) Join lake data with warehouse data in single query
Lambda Lightweight transformations triggered by S3 events Small files, simple transforms, real-time triggers

Analytics & Visualization

Service Type When to Use
Athena Serverless SQL Ad-hoc queries, exploration, infrequent access (pay per TB scanned)
Redshift Data warehouse Frequent complex queries, dashboards, predictable workloads, sub-second response
QuickSight BI / Dashboards Business dashboards, embedded analytics, ML insights (anomaly/forecasting)
OpenSearch Log analytics / Search Log analysis, full-text search, real-time dashboards (Kibana)
SageMaker Machine Learning Train models on lake data, feature engineering from curated zone

Cost Optimization

  • Columnar formats (Parquet/ORC): 3-5x compression vs CSV/JSON, Athena scans less data = lower cost
  • Partitioning: Partition by date/region/product — queries scan only relevant partitions (e.g., WHERE year=2026 scans 1/N of data)
  • Compaction: Merge small files into larger ones (1-128MB optimal) — reduces list/get operations and improves query speed
  • S3 Intelligent-Tiering: Automatically moves infrequently accessed data to cheaper tiers (no retrieval fees)
  • Athena workgroups: Set per-query and per-workgroup data scan limits to prevent runaway costs
  • Redshift Serverless: Pay per RPU-second — no idle cost for intermittent warehouse workloads

Exam Tips by Certification

Exam Focus Areas
SAP-C02 Athena vs Redshift decision, Lake Formation cross-account sharing, data zone design, Kinesis vs Glue for ingestion, cost optimization (partitioning, columnar, lifecycle), DMS for CDC
MLA-C01 Feature Store integration with data lake, Glue ETL for feature engineering, data quality with Glue Data Quality, SageMaker access to lake via Athena/Spark, training data in Parquet on S3

AWS Certification Exam Practice Questions

Question 1:

A company stores 50TB of data in S3 as CSV files. Data analysts run Athena queries daily but costs are high ($500/day) because queries scan the entire dataset. What TWO changes would MOST reduce Athena costs?

  1. Convert CSV to Parquet and partition by date
  2. Move data to Redshift and query there instead
  3. Enable S3 Transfer Acceleration for faster queries
  4. Add more Athena workgroups to distribute load
Show Answer

Answer: A – Parquet provides 3-5x compression AND columnar storage (only requested columns are scanned). Partitioning by date means queries with WHERE date=… only scan relevant partitions. Combined, these typically reduce Athena costs by 90%+. Transfer Acceleration is for uploads, not queries. Workgroups limit costs but don’t reduce scan volume.

Question 2:

A financial company needs different teams to access different columns of the same table. The compliance team needs all columns, while the analytics team should NOT see PII columns (SSN, email). The table has 200+ columns. What is the MOST scalable approach?

  1. Create separate copies of the table with PII columns removed for analytics
  2. Lake Formation column-level permissions with tag-based access control
  3. S3 bucket policies restricting access to specific prefixes per team
  4. Athena views that exclude PII columns for the analytics team
Show Answer

Answer: B – Lake Formation column-level permissions restrict which columns each principal can see without duplicating data. Tag-based access control (TBAC) scales by tagging PII columns with “sensitivity=high” and granting analytics team access only to columns without that tag. Adding new PII columns just requires tagging — no permission changes needed. Views work but must be maintained manually.

Question 3:

A company needs to continuously replicate changes from their on-premises Oracle database to S3 for analytics. They need ongoing synchronization (not just a one-time migration) with minimal impact on the source database. Which service provides this?

  1. AWS Glue with JDBC connection on a schedule
  2. AWS DMS with CDC (Change Data Capture) to S3 target
  3. Kinesis Data Firehose with custom producer
  4. AWS DataSync on a recurring schedule
Show Answer

Answer: B – AWS DMS with CDC continuously captures changes (inserts, updates, deletes) from the source database using log-based replication (minimal source impact) and writes them to S3 in Parquet/CSV format. It handles both the initial full load and ongoing replication. Glue JDBC would perform full table scans on schedule (high source impact). DataSync is for file transfers, not database replication.

Question 4:

A data engineering team needs to process 5TB of raw JSON data daily, apply complex transformations (joins across 10 tables, deduplication, schema evolution), and write results to S3 in Parquet. They want serverless with no cluster management. Which service fits?

  1. Athena CTAS (Create Table As Select)
  2. AWS Glue ETL with auto-scaling
  3. Amazon EMR Serverless
  4. Lambda with S3 batch operations
Show Answer

Answer: B – Glue ETL provides serverless Apache Spark with auto-scaling DPUs. It handles complex multi-table joins, deduplication, schema evolution (schema-on-read + schema merging), and writes Parquet natively. No cluster management required. Athena CTAS works for simpler SQL transforms but isn’t ideal for complex multi-step ETL. EMR Serverless also works but Glue is simpler for standard ETL patterns.

Question 5:

A company wants to share specific tables from their data lake with a partner AWS account without copying data. The partner should only see curated tables with certain rows filtered (e.g., only their region’s data). What is the recommended approach?

  1. Copy filtered data to an S3 bucket in the partner account nightly
  2. Lake Formation cross-account sharing with row-level security filters
  3. Redshift data sharing with the partner account
  4. S3 bucket policy granting partner account read access to specific prefixes
Show Answer

Answer: B – Lake Formation cross-account sharing grants the partner account access to specific tables with row-level filters (e.g., WHERE region=’partner_region’). No data copying, no duplication costs, permissions are centrally managed, and the partner queries via their own Athena/Redshift Spectrum. Data stays in your account; they get a filtered view.

Related Architecture Patterns

Related Posts

References

📖 Related: AWS EBS Volume Types – Performance & Cost Comparison

Frequently Asked Questions

Data lake vs data warehouse — when to use which?

A data lake (S3) stores raw data in any format at low cost — best for data exploration, ML, and diverse data types. A data warehouse (Redshift) stores structured, pre-modeled data optimized for fast, repeated analytical queries. Most organizations use both: lake for storage/exploration, warehouse for production dashboards and business intelligence.

AWS Glue vs EMR — when to use which?

Use Glue for standard ETL jobs where you want serverless, auto-scaling, and visual job authoring. Use EMR when you need custom Spark/Hadoop configurations, specific library versions, long-running clusters, or workloads exceeding Glue’s capabilities. Glue is simpler; EMR is more flexible and cost-effective at very large scale with spot instances.

What is Lake Formation vs Glue Data Catalog?

Glue Data Catalog is the metadata repository (table definitions, schemas, partitions). Lake Formation is the governance layer on top that adds fine-grained access control (row/column/cell-level), tag-based permissions, cross-account sharing, and data location registration. Lake Formation uses the Catalog underneath but adds security and governance.

AWS Hybrid Cloud Networking Architecture – Direct Connect, Transit Gateway & VPN

AWS Hybrid Cloud Networking Architecture — Overview

Hybrid cloud networking connects on-premises data centers to AWS, enabling workload migration, burst capacity, disaster recovery, and multi-cloud strategies. The architecture must balance bandwidth, latency, cost, encryption, and redundancy. This is a core focus area for SAP-C02 and the Advanced Networking Specialty (ANS-C01).

AWS Hybrid Cloud Networking Architecture
On-Premises
Corporate Data Center
Customer Gateway Device
DNS Servers (AD)
Branch Offices
Direct Connect
1/10/100 Gbps
Private + Public VIF
Dedicated fiber
── or ──
Site-to-Site VPN
IPSec over internet
1.25 Gbps/tunnel
Encrypted
AWS Cloud
Transit Gateway
Central hub — connects all VPCs + on-prem
Route tables for segmentation | Multi-region peering
Prod VPC
App tier
DB tier
Dev VPC
Isolated
workloads
Shared VPC
DNS, AD
Endpoints
Egress VPC
NAT GW
Firewall
Route 53 Resolver
Inbound + Outbound
Hybrid DNS
PrivateLink
AWS services
without internet
Network Firewall
L3-L7 inspection
IDS/IPS

Connectivity Options Compared

Aspect Direct Connect Site-to-Site VPN Client VPN
Connection Dedicated physical fiber via DX location IPSec tunnels over public internet OpenVPN for individual users
Bandwidth 1, 10, or 100 Gbps (dedicated) / 50Mbps-10Gbps (hosted) Up to 1.25 Gbps per tunnel (use ECMP for more) Per-user bandwidth
Latency Consistent, low (private path) Variable (internet-dependent) Variable
Encryption NOT encrypted by default (add VPN over DX for encryption) Encrypted (IPSec) Encrypted (TLS)
Setup time Weeks-months (physical cross-connect) Minutes (software configuration) Minutes
Redundancy Requires 2 connections at 2 DX locations for HA 2 tunnels per VPN (2 AZs) automatically Multi-AZ endpoint
Cost Port-hour + data transfer out (cheaper egress than internet) Per VPN connection-hour + data transfer Per connection-hour + per subnet association

When to Use Which

  • Direct Connect: Large data transfers (TB+), consistent low-latency requirements, reduced egress costs, compliance requiring private connectivity
  • Site-to-Site VPN: Quick setup, encrypted by default, backup for Direct Connect, low-moderate bandwidth needs
  • DX + VPN together: Encryption over private connection (Direct Connect provides bandwidth + VPN provides encryption)
  • Client VPN: Individual remote users needing access to VPC resources (being replaced by Verified Access for Zero Trust)

AWS Transit Gateway — Central Hub

Transit Gateway is the single point of connectivity for all VPCs, VPNs, Direct Connect, and peered Transit Gateways:

  • Hub-and-spoke: All VPCs attach to TGW instead of meshing VPC peering (N² problem → N attachments)
  • Route tables: Separate route tables for network segmentation (Prod, Dev, Shared Services — control who talks to whom)
  • Multi-region: Transit Gateway Peering connects TGWs across regions (inter-region traffic stays on AWS backbone)
  • ECMP: Equal-Cost Multi-Path across VPN tunnels for aggregate bandwidth (e.g., 4 tunnels × 1.25 Gbps = 5 Gbps)
  • Multicast: TGW supports multicast for financial/media workloads
  • Appliance mode: Ensures symmetric routing when traffic passes through a virtual appliance (firewall) in a VPC

Direct Connect Architecture

Virtual Interfaces (VIFs)

VIF Type Purpose Connects To
Private VIF Access VPC resources via private IP VGW (single VPC) or Direct Connect Gateway → TGW (multiple VPCs)
Public VIF Access AWS public services (S3, DynamoDB) via private path AWS public IP ranges (avoids internet)
Transit VIF Connect to Transit Gateway (access all attached VPCs) Direct Connect Gateway → Transit Gateway

High Availability for Direct Connect

  • Maximum resilience: 2 DX connections at 2 separate DX locations (protects against location failure)
  • High resilience: 2 DX connections at 1 DX location (protects against device failure)
  • DX + VPN backup: Direct Connect as primary, Site-to-Site VPN as failover (via BGP priority)
  • LAG (Link Aggregation): Bundle multiple connections at same location for aggregate bandwidth

Hybrid DNS — Route 53 Resolver

Hybrid DNS ensures name resolution works seamlessly between on-premises and AWS:

  • Inbound Endpoint: On-premises DNS servers forward queries for AWS-hosted domains (e.g., *.aws.internal) → Route 53 Resolver resolves them
  • Outbound Endpoint: AWS resources query on-premises domains (e.g., corp.example.com) → Route 53 Resolver forwards to on-premises DNS
  • Resolver Rules: Define which domains forward where (conditional forwarding)
  • RAM sharing: Share Resolver Rules across accounts so all VPCs in the org resolve hybrid DNS consistently

Centralized Egress & Inspection

Instead of NAT Gateway per VPC (expensive), centralize in a dedicated egress VPC:

  • Egress VPC: Contains NAT Gateways + AWS Network Firewall
  • TGW routing: All VPCs’ 0.0.0.0/0 route points to TGW → TGW routes to Egress VPC
  • Network Firewall: Inspects all outbound traffic (domain filtering, IDS/IPS, stateful rules)
  • Cost savings: One set of NAT Gateways shared across all VPCs vs per-VPC NATs

Multi-Region Networking

  • Transit Gateway Peering: Connect TGWs across regions for inter-region VPC communication (static routes)
  • Direct Connect Gateway: Single DX connection → access VPCs in multiple regions (via TGW in each region)
  • Global Accelerator: Anycast IPs that route to nearest healthy AWS endpoint (for multi-region failover)
  • CloudFront: Edge caching for static/dynamic content, reducing latency for global users

Exam Tips by Certification

Exam Focus Areas
SAP-C02 DX vs VPN selection, TGW route table segmentation, centralized egress/inspection, hybrid DNS (Resolver endpoints), DX+VPN for encrypted private connectivity, multi-region networking patterns
ANS-C01 DX VIF types (Private/Public/Transit), BGP routing (AS-path prepending, MED), LAG, DX Gateway, DX resiliency models, TGW multicast, ECMP over VPN, flow logs analysis

AWS Certification Exam Practice Questions

Question 1:

A company has a 10 Gbps Direct Connect connection for production traffic. They need encrypted connectivity to AWS for compliance, but Direct Connect is not encrypted by default. What is the MOST bandwidth-efficient solution?

  1. Replace Direct Connect with Site-to-Site VPN (encrypted by default)
  2. Create a Site-to-Site VPN over the Direct Connect connection (VPN over DX using public VIF)
  3. Enable MACsec encryption on the Direct Connect connection
  4. Use AWS CloudHSM to encrypt all traffic at the application layer
Show Answer

Answer: C – MACsec (IEEE 802.1AE) provides native Layer 2 encryption on Direct Connect at line speed with no bandwidth penalty. It’s available on 10 Gbps and 100 Gbps dedicated connections. VPN over DX works but is limited to 1.25 Gbps per tunnel and adds overhead. MACsec encrypts the full 10 Gbps capacity without performance impact.

Question 2:

A company has 15 VPCs across 3 accounts. They need all VPCs to communicate with on-premises via a single Direct Connect connection, while keeping production VPCs isolated from development VPCs. What architecture achieves this?

  1. VPC Peering between all VPCs + Virtual Private Gateway per VPC
  2. Transit Gateway with separate route tables for Prod and Dev, connected to Direct Connect via DX Gateway
  3. Direct Connect with 15 Private VIFs (one per VPC)
  4. AWS PrivateLink between all VPCs and on-premises
Show Answer

Answer: B – Transit Gateway provides hub connectivity for all 15 VPCs with a single attachment to Direct Connect (via DX Gateway + Transit VIF). Route tables on TGW control segmentation: Prod route table has routes to on-prem + Prod VPCs (no Dev routes). Dev route table has routes to on-prem + Dev VPCs (no Prod routes). This scales without the N² peering problem.

Question 3:

A company’s on-premises applications need to resolve AWS private hosted zone DNS names (e.g., api.internal.company.com hosted in Route 53). Currently, on-premises DNS queries for these names fail. What should be configured?

  1. Create a public hosted zone and use public DNS resolution
  2. Configure Route 53 Resolver Inbound Endpoints in the VPC and forward on-premises DNS to them
  3. Replicate Route 53 records to on-premises DNS servers
  4. Configure Route 53 Resolver Outbound Endpoints with forwarding rules
Show Answer

Answer: B – Inbound Endpoints provide IP addresses in your VPC that on-premises DNS servers can forward queries to. When on-premises DNS receives a query for *.internal.company.com, it forwards to the Inbound Endpoint IPs → Route 53 Resolver resolves from the private hosted zone → returns the answer. Outbound is the reverse direction (AWS → on-prem DNS).

Question 4:

A company wants to access S3 and DynamoDB from on-premises without traversing the public internet. Their Direct Connect is already established. Which VIF type and configuration enables this?

  1. Private VIF to a VPC with VPC Gateway Endpoints for S3/DynamoDB
  2. Public VIF — advertises AWS public IP ranges over the DX connection
  3. Transit VIF with TGW routing to S3 endpoints
  4. Create an S3 VPC Interface Endpoint and route from on-prem via Private VIF
Show Answer

Answer: B – A Public VIF on Direct Connect advertises AWS public service IP ranges (including S3 and DynamoDB) over your private DX connection. Traffic reaches AWS public endpoints without using the internet — it travels over your dedicated fiber. This is the designed approach for accessing AWS public services privately. Gateway Endpoints are VPC-only (not accessible from on-prem directly).

Question 5:

A company needs maximum resilience for their Direct Connect connectivity. Their compliance requires surviving a complete DX location failure. What is the minimum configuration?

  1. Single DX connection with 2 Private VIFs
  2. 2 DX connections at the same DX location
  3. 2 DX connections at 2 different DX locations
  4. 1 DX connection + Site-to-Site VPN as backup
Show Answer

Answer: C – Maximum resilience requires connections at 2 separate DX locations. If one location has a complete failure (fire, power outage, fiber cut), the other location continues operating. 2 connections at the same location protects against device failure but not location failure. VPN backup provides resilience but with degraded performance (not maximum resilience for DX-grade traffic).

Related Architecture Patterns

Related Posts

References

Frequently Asked Questions

Is Direct Connect encrypted?

No, by default Direct Connect is NOT encrypted — it’s a private connection but data travels in cleartext. For encryption, either enable MACsec (Layer 2, line-speed, on 10/100 Gbps) or create a Site-to-Site VPN over the DX connection (IPSec, limited to 1.25 Gbps per tunnel). MACsec is preferred for high-bandwidth encrypted private connectivity.

Transit Gateway vs VPC Peering — when to use which?

Use VPC Peering for simple point-to-point connectivity between 2-3 VPCs (no transitive routing, lower cost). Use Transit Gateway when you have 4+ VPCs, need on-premises connectivity, require route segmentation, or need transitive routing. TGW scales better but costs more (per-attachment + data processing fee).

What is a Direct Connect Gateway?

A Direct Connect Gateway is a globally available resource that connects your DX connection to VPCs/TGWs in any AWS region (not just the region where the DX location resides). One physical DX connection → DX Gateway → access VPCs across multiple regions. It supports both Private VIFs (→ VGW) and Transit VIFs (→ TGW).

AWS Event-Driven Serverless Architecture – EventBridge, SQS, SNS & Step Functions

AWS Event-Driven Serverless Architecture — Overview

Event-driven architecture (EDA) decouples services by communicating through events rather than direct calls. Combined with serverless compute, it provides automatic scaling, zero idle cost, and fault-tolerant loose coupling. This is a core pattern for SAP-C02 (architectural decisions) and DOP-C02 (automation and failure handling).

Event-Driven Serverless Architecture on AWS
── Event Producers ──
API Gateway
(user actions)
S3
(object events)
DynamoDB Streams
(data changes)
IoT Core
(device data)
CloudWatch
(alarms)
SaaS / Custom
(partner events)
↓ Events ↓
── Event Router ──
Amazon EventBridge
Content-based filtering | Schema registry | Archive & replay | 35+ AWS sources | SaaS integrations
↓ Rules (filter + route) ↓
── Event Consumers & Patterns ──
Lambda
Direct processing
Stateless
Auto-scales
Max 15 min
SQS
Queue (buffering)
Load leveling
Retry with backoff
DLQ for failures
SNS
Fan-out (pub/sub)
Multiple subscribers
Filter policies
Push-based
Step Functions
Orchestration
Multi-step workflows
Error handling
Wait states
Kinesis
Streaming (ordered)
High throughput
Multiple consumers
Replay window

Core Event-Driven Patterns

1. Point-to-Point (Queue)

One producer → One consumer. SQS decouples them with buffering and retry.

  • Use case: Order processing, task queues, async job execution
  • Pattern: API Gateway → SQS → Lambda (poll-based)
  • Guarantee: At-least-once (Standard) or Exactly-once (FIFO)

2. Pub/Sub (Fan-out)

One event → Multiple consumers process independently.

  • Use case: Order placed → update inventory + send email + update analytics
  • Pattern: SNS topic → multiple SQS queues (each with own Lambda consumer)
  • Variant: SNS + filter policies → each subscriber gets only relevant events

3. Event Bus (Content-Based Routing)

Central router matches events to rules and routes to appropriate targets.

  • Use case: Multi-service system where different events go to different processors
  • Pattern: EventBridge rules with content filtering → specific Lambda/SQS/Step Functions per event type
  • Advantage: Producers don’t know about consumers — fully decoupled

4. Orchestration (Step Functions)

Central coordinator manages multi-step workflows with branching, error handling, and retries.

  • Use case: Order fulfillment (validate → charge → ship → notify), ETL pipelines
  • Pattern: Step Functions state machine calling Lambda, ECS, Bedrock, DynamoDB directly
  • Advantage: Visual workflow, built-in retry/catch, wait states, parallel execution

5. Choreography (Distributed Events)

No central coordinator — each service reacts to events and emits new events.

  • Use case: Loosely coupled microservices, event sourcing
  • Pattern: Service A emits event → EventBridge → Service B reacts + emits new event → Service C reacts
  • Trade-off: More autonomous but harder to debug/trace end-to-end

Service Comparison — When to Use Which

Requirement Service Why
Buffer/decouple producer from consumer SQS Queue absorbs spikes, consumer processes at own pace
One event → multiple consumers SNS (or SNS+SQS) Fan-out to multiple subscribers with filtering
Route events from many sources by content EventBridge Content-based rules, schema discovery, archive/replay
Multi-step workflow with error handling Step Functions Visual orchestration, retry/catch, parallel, wait states
High-throughput ordered streaming Kinesis Data Streams Shard-based ordering, multiple consumers, replay
Exactly-once with strict ordering SQS FIFO Message groups guarantee order + deduplication
Cross-account/cross-region events EventBridge Native cross-account event buses, global endpoints

Error Handling & Resilience

Mechanism Service How It Works
Dead Letter Queue (DLQ) SQS, SNS, Lambda, EventBridge Messages that fail max retries are sent to DLQ for investigation
Lambda Destinations Lambda Route success/failure results to SQS, SNS, EventBridge, or another Lambda
Retry with backoff SQS (visibility timeout), Step Functions (Retry) Exponential backoff prevents thundering herd on transient failures
Step Functions Catch Step Functions Catch errors per state → route to fallback/compensation logic
EventBridge Archive & Replay EventBridge Archive all events → replay specific time ranges after fixing consumer bugs

Idempotency — Critical for Event-Driven

At-least-once delivery means consumers may process the same event multiple times. Design for idempotency:

  • DynamoDB conditional writes — Use event ID as key, conditional put (only if not exists)
  • SQS FIFO deduplication — Built-in 5-minute deduplication window
  • Idempotency key in Lambda — Store processed event IDs in DynamoDB/ElastiCache, skip if seen
  • Powertools for Lambda — AWS Lambda Powertools provides idempotency utility out of the box

Scaling Considerations

  • Lambda concurrency: Default 1000/region. Use reserved concurrency for critical functions, SQS batching to control invocation rate.
  • SQS → Lambda scaling: Lambda auto-scales up to 1000 concurrent by adding 60 instances/minute. Batch size (1-10K) controls throughput.
  • EventBridge throttling: 2400 PutEvents/sec default (soft limit). Rules trigger targets with target-specific throttling.
  • Step Functions: Standard (2000 state transitions/sec), Express (100K/sec) — choose based on volume.
  • SNS: Virtually unlimited throughput for publishing. Subscriber delivery follows target limits.

Exam Tips by Certification

Exam Focus Areas
SAP-C02 Decoupling patterns (SQS vs SNS vs EventBridge selection), ordering guarantees (FIFO vs Standard), fan-out architectures, saga pattern for distributed transactions, cross-account event routing
DOP-C02 DLQ monitoring and alerting, Lambda failure handling (destinations vs DLQ), Step Functions error/retry configuration, EventBridge replay for recovery, observability with X-Ray tracing across async services

AWS Certification Exam Practice Questions

Question 1:

An e-commerce application needs to process an order event by simultaneously updating inventory, sending a confirmation email, and notifying the warehouse. Each downstream service should process independently and failures in one should NOT affect others. Which pattern is MOST appropriate?

  1. SQS queue with a single Lambda consuming and calling each service
  2. SNS topic with SQS queue subscriptions for each downstream service (each with own Lambda)
  3. Step Functions parallel state calling all three services
  4. EventBridge with a single rule targeting all three Lambdas
Show Answer

Answer: B – SNS→SQS fan-out provides independent processing per consumer. Each SQS queue has its own Lambda, retry policy, and DLQ. If the email service fails, inventory and warehouse continue unaffected. A single Lambda calling all three creates coupling. Step Functions parallel would work but adds cost/complexity for simple fan-out. EventBridge directly to Lambda doesn’t provide the buffering/retry isolation of SQS.

Question 2:

A financial system processes payment events that MUST be processed exactly once and in the order they were submitted per customer. Different customers’ payments can be processed in parallel. Which configuration provides this?

  1. SQS Standard queue with Lambda deduplication logic
  2. SQS FIFO queue with MessageGroupId set to customer ID
  3. Kinesis Data Stream with partition key set to customer ID
  4. EventBridge with ordered delivery enabled
Show Answer

Answer: B – SQS FIFO with MessageGroupId provides exactly-once processing AND strict ordering within each message group (customer). Different message groups (different customers) process in parallel. Kinesis provides ordering per shard partition key but only at-least-once delivery (not exactly-once). Standard SQS doesn’t guarantee ordering.

Question 3:

A multi-step order fulfillment process (validate → charge → reserve inventory → ship → notify) needs to compensate previous steps if a later step fails (e.g., refund if shipping fails). Which approach implements this saga pattern?

  1. Lambda function chaining (each Lambda invokes the next)
  2. Step Functions with Catch blocks that invoke compensation Lambdas
  3. SQS with manual retry and DLQ
  4. EventBridge choreography with each service emitting success/failure events
Show Answer

Answer: B – Step Functions orchestrated saga pattern defines the happy path and compensation logic. Each step has a Catch block that routes to compensation states (refund, release inventory). The state machine manages the entire transaction lifecycle with built-in retry, timeout, and error handling. Choreography can implement sagas but is harder to manage and debug.

Question 4:

A Lambda function consuming from SQS occasionally fails on certain messages (malformed data). These messages are retried repeatedly, consuming concurrency and blocking other messages. How should this be resolved?

  1. Increase Lambda timeout to give more processing time
  2. Configure maxReceiveCount on the SQS queue with a DLQ — messages exceeding retry limit move to DLQ for investigation
  3. Delete the malformed message in a try/catch block
  4. Increase SQS visibility timeout to delay retries
Show Answer

Answer: B – Setting maxReceiveCount (redrive policy) moves poison messages to a DLQ after N failed attempts. This prevents them from blocking the queue indefinitely while preserving them for debugging. Deleting silently loses the message. Longer timeouts just delay the same failure. The DLQ pattern is the standard for handling poison messages.

Question 5:

A company uses EventBridge to route events from 20+ microservices. A bug in a consumer caused it to discard events for 3 hours before being discovered. They need to reprocess those lost events. Which EventBridge feature enables this?

  1. EventBridge Pipes with enrichment
  2. EventBridge Archive and Replay
  3. EventBridge Schema Registry
  4. CloudWatch Logs Insights query on EventBridge logs
Show Answer

Answer: B – EventBridge Archive stores all events (or filtered events) indefinitely. Replay allows you to re-send archived events from a specific time window to the same or different event bus. This enables recovery from consumer bugs by replaying the 3-hour window after the consumer is fixed. No data is lost as long as archiving was enabled.

Related Architecture Patterns

Related Posts

References

📖 Related: ElastiCache Redis vs Memcached

Frequently Asked Questions

When should I use EventBridge vs SNS for fan-out?

Use SNS for simple fan-out where all subscribers get the same event (or basic attribute filtering). Use EventBridge when you need content-based filtering on any field in the event body, schema discovery, archive/replay, cross-account routing, or SaaS integration. EventBridge is more powerful; SNS is simpler and cheaper for basic pub/sub.

Should I use Step Functions or choreography (distributed events)?

Use Step Functions (orchestration) when you need clear visibility into workflow state, error handling with compensation (saga), and centralized control. Use choreography when services are independently developed/deployed by different teams and you want maximum autonomy. Orchestration is easier to debug; choreography scales organizational independence.

How do I handle poison messages in event-driven systems?

Configure a Dead Letter Queue (DLQ) with maxReceiveCount on SQS queues. After N failed processing attempts, the message moves to the DLQ. Set CloudWatch alarms on DLQ message count. Investigate and replay from DLQ after fixing the issue. For EventBridge, use Archive+Replay for recovery.

AWS Disaster Recovery Architecture – Backup, Pilot Light, Warm Standby & Multi-Site

AWS Disaster Recovery Architecture — Overview

Disaster Recovery (DR) ensures business continuity when an entire region or infrastructure becomes unavailable. AWS offers four DR strategies with increasing cost and decreasing recovery time. Choosing the right strategy depends on your RTO (Recovery Time Objective) and RPO (Recovery Point Objective). This is heavily tested on SAP-C02 and DOP-C02.

AWS Disaster Recovery — Four Strategies
BACKUP & RESTORE
RTO: Hours | RPO: Hours
S3 Cross-Region Replication
EBS/RDS Snapshots → DR Region
CloudFormation to rebuild
No running infra in DR
Cost: $
PILOT LIGHT
RTO: 10s min | RPO: Minutes
Core DB replicated (Aurora/RDS)
Minimal infra running (DB only)
Scale up compute on failover
AMIs ready, ASG at 0
Cost: $$
WARM STANDBY
RTO: Minutes | RPO: Seconds
Full stack running at reduced scale
DB replicated (read replica/Global)
Scale up to production size on fail
Can serve read traffic normally
Cost: $$$
MULTI-SITE ACTIVE/ACTIVE
RTO: ~0 | RPO: ~0
Full production in both regions
Route 53 active-active routing
DynamoDB Global / Aurora Global
No failover needed — always on
Cost: $$$$
← Lower cost, higher RTO/RPO | Higher cost, lower RTO/RPO →

Strategy Deep Dive

1. Backup & Restore

Approach: Data is backed up to a DR region. On disaster, restore data and rebuild infrastructure from templates.

  • Data replication: S3 Cross-Region Replication, EBS snapshot copy, RDS automated backup copy, DynamoDB on-demand backup to another region
  • Infrastructure: CloudFormation/CDK templates stored in S3 — deploy on failover
  • Recovery process: Restore latest snapshot → Launch infrastructure from templates → Update DNS
  • RTO: Hours (time to restore + launch + warm up)
  • RPO: Hours (depends on backup frequency)
  • Cost: Only storage costs in DR region during normal operation

2. Pilot Light

Approach: Core data layer is always replicated and running in DR. Compute and app tier are provisioned on failover.

  • Always running: RDS Read Replica or Aurora Global Database secondary in DR region
  • Ready to launch: AMIs pre-built, Launch Templates configured, ASG desired=0 (or minimal)
  • Recovery process: Promote DB replica → Scale ASG to desired → Update DNS
  • RTO: 10s of minutes (DB promotion + instance launch + health checks)
  • RPO: Minutes (async replication lag)
  • Key difference from Backup/Restore: Data is already there (no restore step)

3. Warm Standby

Approach: Full application stack runs in DR at reduced capacity. Scale up to production on failover.

  • Always running: Full stack at minimum scale (e.g., 1 instance per tier instead of 10)
  • DB: Aurora Global Database or RDS Multi-Region with synchronous or near-synchronous replication
  • Recovery process: Scale up ASG/ECS → Promote DB (if needed) → Route 53 failover
  • RTO: Minutes (just scaling, no provisioning from scratch)
  • RPO: Seconds (continuous replication)
  • Bonus: DR environment can serve read traffic or run batch jobs during normal ops (cost offset)

4. Multi-Site Active/Active

Approach: Full production capacity in multiple regions simultaneously serving traffic.

  • Always running: Full production scale in 2+ regions
  • Data: DynamoDB Global Tables (multi-master) or Aurora Global Database (single writer, fast failover)
  • Routing: Route 53 latency-based or weighted routing distributes traffic across regions
  • No failover: If one region fails, Route 53 health checks remove it — other region(s) absorb traffic
  • RTO/RPO: Near zero — no recovery action needed
  • Challenge: Data consistency, conflict resolution (DynamoDB uses last-writer-wins)

Key AWS Services for DR

Service DR Role Strategies
Route 53 DNS failover (health checks → automatic routing switch) All strategies
Aurora Global Database Cross-region replication (<1s lag), managed failover (<1min) Pilot Light, Warm, Active/Active
DynamoDB Global Tables Multi-region, multi-master replication Active/Active
S3 Cross-Region Replication Async object replication to DR region All strategies
CloudFormation StackSets Deploy infrastructure templates across regions/accounts Backup/Restore, Pilot Light
AWS Elastic Disaster Recovery Continuous block-level replication of servers to DR region Pilot Light, Warm Standby
Global Accelerator Static IPs with automatic failover to healthy endpoints Warm, Active/Active
AWS Backup Centralized backup management with cross-region copy rules Backup/Restore

Route 53 Failover Patterns

  • Active-Passive (Failover): Primary record with health check → Secondary record (DR). Traffic goes to secondary only when primary fails. Used with Pilot Light/Warm Standby.
  • Active-Active (Latency/Weighted): Both regions serve traffic simultaneously. Health checks remove unhealthy region. Used with Multi-Site.
  • Health checks: HTTP/HTTPS endpoint checks, CloudWatch alarm-based checks, calculated checks (combine multiple)

RTO/RPO Selection Guide

Requirement Strategy Typical Use Case
RTO: 24h, RPO: 24h Backup & Restore Non-critical internal apps, dev/test
RTO: 30min, RPO: 5min Pilot Light Important business apps, SLA-backed internal systems
RTO: 5min, RPO: 1min Warm Standby Customer-facing apps, e-commerce, SaaS platforms
RTO: 0, RPO: 0 Multi-Site Active/Active Mission-critical (financial, healthcare), global services

DR Testing & Automation

  • AWS Resilience Hub — Assess applications against RTO/RPO targets, identify gaps, generate recommendations
  • AWS Fault Injection Service (FIS) — Simulate failures (AZ outage, instance termination) to validate DR readiness
  • GameDay exercises — Regular scheduled failover drills to validate runbooks and team readiness
  • Automated failover runbooks — Systems Manager Automation documents for repeatable DR procedures

Exam Tips by Certification

Exam Focus Areas
SAP-C02 Strategy selection based on RTO/RPO/cost requirements, Aurora Global vs DynamoDB Global Tables, Route 53 failover configuration, multi-region architecture decisions, cost optimization of DR
DOP-C02 Automated failover runbooks (SSM Automation), infrastructure-as-code for DR (StackSets), monitoring for failover triggers, testing DR with FIS, CI/CD across regions

AWS Certification Exam Practice Questions

Question 1:

A company requires RTO of 15 minutes and RPO of 1 minute for their customer-facing application. They want to minimize costs while meeting these targets. Which DR strategy is MOST appropriate?

  1. Backup & Restore
  2. Pilot Light
  3. Warm Standby
  4. Multi-Site Active/Active
Show Answer

Answer: C – Warm Standby provides RTO of minutes and RPO of seconds (continuous replication). Pilot Light would have RTO of 10s of minutes (too slow for 15-min requirement when accounting for DB promotion + instance scaling). Multi-Site would exceed requirements and cost significantly more. Warm Standby is the minimum cost strategy meeting both targets.

Question 2:

An application uses Aurora MySQL as its primary database. The DR strategy requires the database to fail over to another region in under 1 minute with minimal data loss. Which Aurora feature provides this?

  1. Aurora Read Replica in another region with manual promotion
  2. Aurora Global Database with managed planned/unplanned failover
  3. RDS Multi-AZ with cross-region snapshot copy
  4. Aurora Serverless with multi-region configuration
Show Answer

Answer: B – Aurora Global Database replicates data across regions with <1 second lag using dedicated replication infrastructure. Managed failover promotes a secondary region to read-write in typically under 1 minute. Cross-region Read Replicas require manual promotion (slower and more error-prone). Multi-AZ is same-region only.

Question 3:

A global SaaS company needs zero-downtime even during a full region failure. Their application uses a NoSQL database. Users in multiple continents should always hit the closest region with read-write access. Which architecture achieves this?

  1. Aurora Global Database with Route 53 latency-based routing
  2. DynamoDB Global Tables with Route 53 latency-based routing
  3. ElastiCache Global Datastore with CloudFront
  4. RDS Multi-AZ in each region with cross-region read replicas
Show Answer

Answer: B – DynamoDB Global Tables provide multi-region, multi-master (active-active) replication. Users in any region get read-write access to their local table with sub-second replication to other regions. Route 53 latency routing sends users to the closest region. Aurora Global has only a single write region (not true active-active write).

Question 4:

A company’s DR plan uses Pilot Light strategy. During a failover drill, they find that recovering takes 45 minutes instead of the expected 15 minutes. Most time is spent waiting for EC2 instances to launch and pass health checks. How should they reduce RTO?

  1. Switch to Backup & Restore with faster snapshots
  2. Pre-warm the load balancer and use pre-baked AMIs with reduced health check grace periods
  3. Upgrade to Warm Standby with minimum-scale running instances
  4. Use larger instance types for faster boot time
Show Answer

Answer: C – If Pilot Light can’t meet the RTO target, upgrade to Warm Standby — instances are already running at minimum scale, so failover only requires scaling up (adding instances to existing ASG), not provisioning from scratch. This eliminates instance launch + configuration time. Pre-baked AMIs help but won’t achieve 15-min if the fundamental issue is launch time.

Question 5:

An architect wants to validate that their multi-region application can survive an AZ failure without manual intervention. Which AWS service allows them to safely simulate this in production?

  1. AWS Config with remediation actions
  2. AWS Fault Injection Service (FIS) with AZ disruption experiment
  3. CloudWatch Synthetics with failure injection
  4. AWS Systems Manager Automation with termination scripts
Show Answer

Answer: B – AWS Fault Injection Service (FIS) provides controlled chaos engineering experiments including AZ power disruption simulation. It safely tests resilience by injecting real failures with automatic stop conditions (guardrails) that halt the experiment if impact exceeds defined thresholds. This validates DR without risking uncontrolled damage.

Related Architecture Patterns

Frequently Asked Questions

What is the difference between RTO and RPO?

RTO (Recovery Time Objective) is the maximum acceptable time to restore service after a disaster — “how long can we be down?” RPO (Recovery Point Objective) is the maximum acceptable data loss measured in time — “how much data can we lose?” Lower values for both cost more to achieve.

Can I use Multi-AZ instead of multi-region for DR?

Multi-AZ protects against single AZ failures (hardware, networking) but NOT against region-wide events (which are rare but possible). For true DR against region failure, you need multi-region. Multi-AZ is high availability (HA), not disaster recovery (DR). Most production workloads need both.

What is AWS Elastic Disaster Recovery?

AWS Elastic Disaster Recovery (DRS) continuously replicates servers (block-level) to a staging area in your DR region. On failover, it launches fully provisioned servers from the latest replication point within minutes. It’s ideal for lift-and-shift workloads and Pilot Light/Warm Standby strategies where you need rapid server recovery.

Related Posts