AWS Certified Developer – Associate DVA-C02 Exam Learning Path

AWS Certified Developer - Associate Certification

AWS Certified Developer – Associate DVA-C02 Exam Learning Path

  • AWS Certified Developer – Associate DVA-C02 exam is the latest AWS exam released on 27th February 2023 and has replaced the previous AWS Developer – Associate DVA-C01 certification exam.
  • I passed the AWS Developer – Associate DVA-C02 exam with a score of 835/1000.

AWS Certified Developer – Associate DVA-C02 Exam Content

  • DVA-C02 validates a candidate’s ability to demonstrate proficiency in developing, testing, deploying, and debugging AWS cloud-based applications.
  • DVA-C02 also validates a candidate’s ability to complete the following tasks:
    • Develop and optimize applications on AWS
    • Package and deploy by using continuous integration and continuous delivery (CI/CD) workflows
    • Secure application code and data
    • Identify and resolve application issues

Refer AWS Certified Developer – Associate Exam Blue Print

AWS Certified Developer - Associate Domains

DVA-C02 Exam Guide Version 2.1 Update (December 2024)

  • AWS revised the DVA-C02 exam guide to Version 2.1 on December 12, 2024, adding 18 new skills and updating in-scope services.
  • Key new skills added:
    • Use Amazon Q Developer for development assistance
    • Implement event-driven patterns using Amazon EventBridge
    • Implement resilient application code (retry logic, circuit breakers, error handling patterns)
    • Implement Lambda functions for real-time data processing and transformation
    • Use specialized data stores based on access patterns (e.g., Amazon OpenSearch Service)
    • Implement application-level authorization for fine-grained access control
    • Handle cross-service authentication in microservices architectures
    • Implement application-level data masking and sanitization
    • Implement data access patterns for multi-tenant applications
    • Prepare application configurations for different environments (e.g., AWS AppConfig)
    • Test event-driven applications
    • Use Amazon Q Developer to generate automated tests
    • Debug service integration issues in applications
    • Create application health checks and readiness probes
    • Implement application-level caching for improved performance
    • Implement structured logging for application events and user actions
    • Configure deployment strategies (blue/green, canary, rolling) for application releases
  • Services added to in-scope: Amazon Q Developer
  • Services removed from in-scope: AWS Copilot (EOL June 2026), Amazon CodeGuru (EOL November 2025)
  • Refer DVA-C02 Exam Guide Revisions

AWS Certified Developer – Associate DVA-C02 Summary

  • DVA-C02 exam consists of 65 questions in 130 minutes, and the time is more than sufficient if you are well-prepared.
  • DVA-C02 exam includes two types of questions, multiple-choice and multiple-response.
  • DVA-C02 has a scaled score between 100 and 1,000. The scaled score needed to pass the exam is 720.
  • Associate exams currently cost $ 150 + tax.
  • You can get an additional 30 minutes if English is your second language by requesting Exam Accommodations. It might not be needed for Associate exams but is helpful for Professional and Specialty ones.
  • AWS exams can be taken either remotely or online, I prefer to take them online as it provides a lot of flexibility. Just make sure you have a proper place to take the exam with no disturbance and nothing around you.
  • Also, if you are taking the AWS Online exam for the first time try to join at least 30 minutes before the actual time as I have had issues with both PSI and Pearson with long wait times.

AWS Certified Developer – Associate DVA-C02 Exam Resources

AWS Certified Developer – Associate DVA-C02 Exam Topics

  • AWS DVA-C02 exam concepts cover solutions that fall within AWS Well-Architected framework to cover scalable, highly available, cost-effective, performant, and resilient pillars.
  • AWS Certified Developer – Associate DVA-C02 exam covers a lot of the latest AWS services like Amplify, X-Ray, Amazon Q Developer while focusing majorly on other services like Lambda, DynamoDB, Elastic Beanstalk, S3, EC2
  • The December 2024 exam revision (Version 2.1) added focus on event-driven architectures, resilient coding patterns, multi-tenant data access, and AI-assisted development using Amazon Q Developer.
  • AWS Certified Developer – Associate DVA-C02 exam is similar to DVA-C01 with more focus on the hands-on development and deployment concepts rather than just the architectural concepts.

Compute

  • Elastic Cloud Compute – EC2
  • Auto Scaling and ELB
    • Auto Scaling provides the ability to ensure a correct number of EC2 instances are always running to handle the load of the application
    • Elastic Load Balancer allows the incoming traffic to be distributed automatically across multiple healthy EC2 instances
  • Autoscaling & ELB
    • work together to provide High Availability and Scalability.
    • Span both ELB and Auto Scaling across Multi-AZs to provide High Availability
    • Do not span across regions. Use Route 53 or Global Accelerator to route traffic across regions.
  • Lambda and serverless architecture, its features, and use cases.
    • Lambda integrated with API Gateway to provide a serverless, highly scalable, cost-effective architecture.
    • Lambda execution role needs the required permissions to integrate with other AWS services.
    • Environment variables to keep functions configurable.
    • Lambda Layers provide a convenient way to package libraries and other dependencies that you can use with your Lambda functions.
    • Function versions can be used to manage the deployment of the functions.
    • Function Alias supports creating aliases, which are mutable, for each function version.
    • provides /tmp ephemeral scratch storage.
    • Integrates with X-Ray for distributed tracing.
    • Use RDS proxy for connection pooling.
    • Lambda SnapStart – reduces cold start latency to sub-second for Java (GA 2022), and now also supports Python and .NET functions (GA November 2024). Works by caching and reusing snapshotted memory and disk state.
    • Recursive loop detection – automatically detects and stops recursive invocations between Lambda and supported services (SQS, SNS, S3) after 16 invocations. Function-level configuration APIs added (August 2024) to customize behavior.
    • Advanced logging controls – supports structured JSON logging format, configurable log levels, and choice of log destination. Tiered pricing for CloudWatch Logs introduced (May 2025).
  • Elastic Container Service – ECS with its ability to deploy containers and microservices architecture.
    • ECS role for tasks can be provided through taskRoleArn
    • ALB provides dynamic port mapping to allow multiple same tasks on the same node.
  • Elastic Kubernetes Service – EKS
    • managed Kubernetes service to run Kubernetes in the AWS cloud and on-premises data centers
    • ideal for migration of an existing workload on Kubernetes
  • Elastic Beanstalk
    • at a high level, what it provides, and its ability to get an application running quickly.
    • Deployment types with their advantages and disadvantages

Databases

  • Understand relational and NoSQL data storage options which include RDS, DynamoDB, and Aurora with their use cases
  • Relational Database Service – RDS
    • Read Replicas vs Multi-AZ
      • Read Replicas for scalability, Multi-AZ for High Availability
      • Multi-AZ is regional only
      • Read Replicas can span across regions and can be used for disaster recovery
  • RDS Proxy
    • fully managed, highly available database proxy for RDS that makes applications more secure, scalable, more resilient to database failures.
    • allows apps to pool and share DB connections established with the database
  • DynamoDB
    • provides low latency performance, a key-value store
    • is not a relational database
    • Secondary indexes on a table allow efficient access to data with attributes other than the primary key.
    • Know Local Secondary Indexes vs Global Secondary Indexes
    • DynamoDB DAX provides caching for DynamoDB
    • DynamoDB TTL helps expire data in DynamoDB without any cost or consuming any write throughput.
    • DynamoDB Streams provides a time-ordered sequence of item-level changes made to data in a table and integrates with Lambda.
    • DynamoDB Best Practices around designing partition keys and secondary indexes.
    • DynamoDB Zero-ETL integration with Amazon Redshift (GA October 2024) – enables running analytics on DynamoDB data without managing ETL pipelines.
    • Price reductions (November 2024) – 50% reduction for on-demand throughput and up to 67% for global tables.
    • Global tables cross-account replication (2025) – supports replication across AWS accounts for multi-account architectures.
  • ElastiCache use cases, mainly for caching performance

Storage

  • Simple Storage Service – S3
    • S3 storage classes with lifecycle policies
      • Understand the difference between SA Standard vs SA IA vs SA IA One Zone in terms of cost and durability
    • S3 Data Protection
      • S3 Client-side encryption encrypts data before storing it in S3
      • S3 encryption in transit can be enforced with S3 bucket policies using secureTransport attributes.
      • S3 encryption at rest can be enforced with S3 bucket policies using x-amz-server-side-encryption attribute.
    • S3 features including
      • S3 provides cost-effective static website hosting. However, it does not support HTTPS endpoint. Can be integrated with CloudFront for HTTPS, caching, performance, and low-latency access.
      • S3 versioning provides protection against accidental overwrites and deletions. Used with MFA Delete feature.
      • S3 Pre-Signed URLs for both upload and download provide access without needing AWS credentials.
      • S3 CORS allows cross-domain calls
      • S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket.
      • S3 Event Notifications to trigger events on various S3 events like objects added or deleted. Supports SQS, SNS, Lambda functions, and Amazon EventBridge.
      • Integrates with Amazon Macie to detect PII data
      • Replication that supports the same and cross-region replication required versioning to be enabled.
      • Integrates with Athena to analyze data in S3 using standard SQL.
  • Instance Store
    • is physically attached to the EC2 instance and provides the lowest latency and highest IOPS
  • Elastic Block Storage – EBS
    • EBS volume types and their use cases in terms of IOPS and throughput. SSD for IOPS and HDD for throughput
  • Elastic File System – EFS
    • simple, fully managed, scalable, serverless, and cost-optimized file storage for use with AWS Cloud and on-premises resources.
    • provides shared volume across multiple EC2 instances, while EBS can be attached to a single instance within the same AZ or EBS Multi-Attach can be attached to multiple instances within the same AZ
    • can be mounted with Lambda functions
    • supports the NFS protocol, and is compatible with Linux-based AMIs
    • supports cross-region replication and storage classes for cost management.
  • Difference between EBS vs S3 vs EFS
  • Difference between EBS vs Instance Store
  • Would recommend referring Storage Options whitepaper, although a bit dated 90% still holds right

Security & Identity

  • Identity Access Management – IAM
    • IAM role
      • provides permissions that are not associated with a particular user, group, or service and are intended to be assumable by anyone who needs it.
      • can be used for EC2 application access and Cross-account access
    • IAM Best Practices
  • Cognito
    • provides authentication, authorization, and user management for the web and mobile apps.
    • User pools are user directories that provide sign-up and sign-in options for the app users.
    • Identity pools enable you to grant the users access to other AWS services.
  • Key Management Services – KMS encryption service
    • for key management and envelope encryption
    • provides encryption at rest and does not handle encryption in transit.
  • Amazon Certificate Manager – ACM
    • helps easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and internally connected resources.
  • AWS Secrets Manager
    • helps protect secrets needed to access applications, services, and IT resources.
    • supports automatic rotations of secrets
  • Secrets Manager vs Systems Manager Parameter Store for secrets management
    • Secrets Manager supports automatic credentials rotation and is integrated with Lambda and other services like RDS, and DynamoDB.
    • Systems Manager Parameter Store provides free standard parameters and is cost-effective as compared to Secrets Manager.

Front-end Web and Mobile

  • API Gateway
    • is a fully managed service that makes it easy for developers to publish, maintain, monitor, and secure APIs at any scale.
    • Powerful, flexible authentication mechanisms, such as AWS IAM policies, Lambda authorizer functions, and Amazon Cognito user pools.
    • supports Canary release deployments for safely rolling out changes.
    • define usage plans to meter, restrict third-party developer access, configure throttling, and quota limits on a per API key basis
    • integrates with AWS X-Ray for understanding and triaging performance latencies.
    • API Gateway CORS allows cross-domain calls
  • Amplify
    • is a complete solution that lets frontend web and mobile developers easily build, ship, and host full-stack applications on AWS, with the flexibility to leverage the breadth of AWS services as use cases evolve.

Management Tools

  • CloudWatch
    • monitoring to provide operational transparency
    • is extendable with custom metrics
    • does not capture memory metrics, by default, and can be done using the CloudWatch agent.
  • EventBridge
    • is a serverless event bus service that makes it easy to connect applications with data from a variety of sources.
    • enables building loosely coupled and distributed event-driven architectures.
    • (New in V2.1) Understand implementing event-driven patterns using EventBridge for decoupled, scalable architectures.
  • CloudTrail
    • helps enable governance, compliance, and operational and risk auditing of the AWS account.
    • helps to get a history of AWS API calls and related events for the AWS account.
  • CloudFormation
    • easy way to create and manage a collection of related AWS resources, and provision and update them in an orderly and predictable fashion.
    • Supports Serverless Application Model – SAM for the deployment of serverless applications including Lambda.
    • CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and Regions with a single operation.
  • AWS AppConfig (capability of AWS Systems Manager)
    • (New in V2.1) Used to prepare application configurations for different environments.
    • Helps create, manage, and deploy application configurations including feature flags.
    • Integrates with Lambda via the AppConfig Agent Lambda extension for dynamic configuration without redeployment.
    • Supports gradual deployment with rollback on errors.

Integration Tools

  • Simple Queue Service
    • as message queuing service and SNS as pub/sub notification service
    • as a decoupling service and provide resiliency
    • SQS features like visibility, and long poll vs short poll
    • provide scaling for the Auto Scaling group based on the SQS size.
    • SQS Standard vs SQS FIFO difference
      • FIFO provides exactly-once delivery but with low throughput
  • Simple Notification Service – SNS
    • is a web service that coordinates and manages the delivery or sending of messages to subscribing endpoints or clients
    • Fanout pattern can be used to push messages to multiple subscribers.
  • Understand SQS as a message queuing service and SNS as a pub/sub notification service.
  • Know AWS Developer tools
    • CodeCommit is a secure, scalable, fully-managed source control service that hosts private Git repositories. Note: CodeCommit was briefly deprecated in July 2024 but returned to General Availability in November 2025. However, it remains in feature freeze with no new features planned.
    • CodeBuild is a fully managed build service that compiles source code, runs tests, and produces software packages that are ready to deploy.
    • CodeDeploy helps automate code deployments to any instance, including EC2 instances and instances running on-premises.
    • CodePipeline is a fully managed continuous delivery service that helps automate the release pipelines for fast and reliable application and infrastructure updates.
    • CodeArtifact is a fully managed artifact repository service that makes it easy for organizations of any size to securely store, publish, and share software packages used in their software development process.
  • X-Ray
    • helps developers analyze and debug production, distributed applications for e.g. built using a microservices lambda architecture

AI-Assisted Development (New in V2.1)

  • Amazon Q Developer
    • AI-powered development assistant added to DVA-C02 in-scope services (December 2024 revision).
    • Provides code generation, debugging assistance, code transformation, and security scanning.
    • Can generate automated tests for application code.
    • Supports code optimization and refactoring recommendations.
    • Note: AWS announced end-of-support for Amazon Q Developer IDE plugins (April 30, 2027) with successor being Kiro IDE. The exam currently tests Q Developer concepts.

Resilient Application Patterns (New in V2.1)

  • Implement resilient application code for third-party service integrations:
    • Retry logic – exponential backoff with jitter for transient failures
    • Circuit breakers – prevent cascading failures by stopping requests to failing services
    • Error handling patterns – graceful degradation, fallback responses
    • Health checks and readiness probes – application-level health monitoring
  • Cross-service authentication in microservices architectures
  • Data access patterns for multi-tenant applications
  • Application-level data masking and sanitization

Analytics

  • Redshift as a business intelligence tool
  • Kinesis
    • for real-time data capture and analytics.
    • Integrates with Lambda functions to perform transformations
  • AWS Glue
    • fully-managed, ETL service that automates the time-consuming steps of data preparation for analytics
  • Amazon OpenSearch Service
    • (New in V2.1) Use specialized data stores based on access patterns.
    • Provides search, log analytics, and real-time application monitoring.

Networking

  • Does not cover much networking or designing networks, but be sure you understand VPC, Subnets, Routes, Security Groups, etc.

AWS Cloud Computing Whitepapers

Deprecated/Removed Services (No Longer in DVA-C02 Scope)

  • AWS Copilot CLI – Reached end-of-support on June 12, 2026. Use ECS Express Mode or AWS CDK for containerized deployments instead. Removed from exam scope in December 2024 revision.
  • Amazon CodeGuru – End of support November 20, 2025. Functionality replaced by Amazon Q Developer for code reviews and security scanning. Removed from exam scope in December 2024 revision.

On the Exam Day

  • Make sure you are relaxed and get some good night’s sleep. The exam is not tough if you are well-prepared.
  • If you are taking the AWS Online exam
    • Try to join at least 30 minutes before the actual time as I have had issues with both PSI and Pearson with long wait times.
    • The online verification process does take some time and usually, there are glitches.
    • Remember, you would not be allowed to take the take if you are late by more than 30 minutes.
    • Make sure you have your desk clear, no hand-watches, or external monitors, keep your phones away, and nobody can enter the room.

Finally, All the Best 🙂

AWS Certified Security – Specialty (SCS-C01) Exam Learning Path

AWS Certified Security - Specialty SCS-C01 Certificate

AWS Certified Security – Specialty (SCS-C03) Exam Learning Path

⚠️ EXAM VERSION UPDATE

AWS Certified Security – Specialty SCS-C01 was retired on July 10, 2023. SCS-C02 replaced it on July 11, 2023, and was subsequently replaced by SCS-C03 on December 2, 2025.

This post has been updated to reflect the current SCS-C03 exam content, domains, and in-scope services.

The AWS Certified Security – Specialty (SCS-C03) validates your ability to effectively secure workloads and architectures on AWS. The exam tests your knowledge of threat detection, incident response, infrastructure security, identity and access management, data protection, and security governance.

AWS Certified Security – Specialty (SCS-C03) Exam Content

  • The AWS Certified Security – Specialty (SCS-C03) exam validates:
    • An understanding of specialized data classifications and AWS data protection mechanisms.
    • An understanding of data-encryption methods and AWS mechanisms to implement them.
    • An understanding of secure Internet protocols and AWS mechanisms to implement them.
    • The ability to design and implement security controls for cloud workloads including generative AI applications.
  • A working knowledge of AWS security services and features of services to provide a secure production environment.
  • Competency gained from two or more years of production deployment experience using AWS security services and features.
  • The ability to make tradeoff decisions with regard to cost, security, and deployment complexity given a set of application requirements.
  • An understanding of security operations and risks.

Refer to AWS Certified Security – Specialty (SCS-C03) Exam Guide

AWS Certified Security – Specialty (SCS-C03) Exam Domains

Domain % of Exam
Domain 1: Detection 16%
Domain 2: Incident Response 14%
Domain 3: Infrastructure Security 18%
Domain 4: Identity and Access Management 20%
Domain 5: Data Protection 18%
Domain 6: Security Foundations and Governance 14%

AWS Certified Security – Specialty (SCS-C03) Exam Summary

  • Specialty exams are tough, lengthy, and tiresome. Most of the questions and answers options have a lot of prose and a lot of reading that needs to be done, so be sure you are prepared and manage your time well.
  • SCS-C03 exam has 65 questions to be solved in 170 minutes which gives you roughly 2 1/2 minutes to attempt each question.
  • SCS-C03 exam includes two types of questions, multiple-choice and multiple-response.
  • SCS-C03 has a scaled score between 100 and 1,000. The scaled score needed to pass the exam is 750.
  • Specialty exams currently cost $300 + tax.
  • You can get an additional 30 minutes if English is your second language by requesting Exam Accommodations. It is helpful for Professional and Specialty exams.
  • As always, mark the questions for review and move on and come back to them after you are done with all.
  • Having a rough architecture or mental picture of the setup helps focus on the areas that you need to improve. You will be able to eliminate 2 answers for sure and then need to focus on only the other two.
  • AWS exams can be taken either remotely or at a test center. Just make sure you have a proper place to take the exam with no disturbance and nothing around you.
  • If you are taking the AWS Online exam, try to join at least 30 minutes before the actual time as there can be long wait times with PSI and Pearson VUE.

AWS Certified Security – Specialty (SCS-C03) Exam Resources

AWS Certified Security – Specialty (SCS-C03) Exam Topics

  • AWS Certified Security – Specialty (SCS-C03) exam focuses heavily on Detection, Incident Response, Infrastructure Security, IAM, Data Protection, and Security Governance involving Data Encryption at rest or in transit, Data protection, Auditing, Compliance and regulatory requirements, and automated remediation.
  • SCS-C03 adds emphasis on generative AI security (GenAI OWASP Top 10 for LLM Applications), OCSF format integration, and inter-resource encryption.

Security, Identity & Compliance

  • Identity and Access Management (IAM)
    • IAM Roles to grant the service, users temporary access to AWS services.
      • IAM Role can be used to give cross-account access and usually involves creating a role within the trusting account with a trust and permission policy and granting the user in the trusted account permissions to assume the trusting account role.
    • Identity Providers & Federation to grant external user identity (SAML or Open ID compatible IdPs) permissions to AWS resources without having to be created within the AWS account.
    • IAM Policies help define who has access & what actions can they perform.
  • AWS IAM Identity Center (formerly AWS SSO)
    • is the recommended way to manage human access to multiple AWS accounts.
    • provides centralized workforce identity management with support for SAML 2.0, SCIM, and built-in identity store.
    • uses Permission Sets to define access levels for users/groups across AWS accounts.
    • integrates with AWS Organizations for multi-account access management.
    • supports external identity providers (Okta, Microsoft Entra ID, Google Workspace).
    • eliminates the need for long-term static access keys for human users.
  • Deep dive into Key Management Service (KMS). There would be quite a few questions on this.
    • is a managed encryption service that allows the creation and control of encryption keys to enable data encryption.
    • uses Envelope Encryption which uses a master key to encrypt the data key, which is then used to encrypt the data.
    • Understand how KMS works
    • Understand IAM Policies, Key Policies, Grants to grant access.
      • Key policies are the primary way to control access to KMS keys. Unless the key policy explicitly allows it, you cannot use IAM policies to allow access to a KMS key.
    • are regional, however, supports multi-region keys, which are KMS keys in different AWS Regions that can be used interchangeably.
    • KMS Multi-region keys
      • are AWS KMS keys in different AWS Regions that can be used interchangeably.
      • are not global and each multi-region key needs to be replicated and managed independently.
    • Understand the difference between CMK with generated and imported key material esp. in rotating keys. SCS-C03 explicitly tests understanding of differences between imported key material and AWS-generated key material.
    • KMS usage with VPC Endpoint which ensures the communication between the VPC and KMS is conducted entirely within the AWS network.
    • KMS ViaService condition
    • Supports automatic key rotation for customer managed keys (rotates every year by default, configurable rotation period).
  • CloudHSM
    • is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud.
    • provides FIPS 140-2 Level 3 validated HSMs.
  • AWS Certificate Manager (ACM)
    • helps provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services.
    • to use an ACM Certificate with CloudFront, the certificate must be in the US East (N. Virginia) region.
    • is regional and you need to request certificates in all regions and associate individually.
    • does not support EC2 instances and private keys cannot be exported.
  • AWS Private Certificate Authority (Private CA)
    • is a managed private CA service for issuing and managing private certificates.
    • supports creating certificate hierarchies (root and subordinate CAs).
    • integrates with ACM for deployment of private certificates to AWS services.
    • is in-scope for SCS-C03 for managing encryption keys and certificates across single or multiple regions.
  • AWS Secrets Manager
    • protects secrets needed to access applications, services, etc.
    • enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
    • supports automatic rotation of credentials for RDS, DocumentDB, Redshift, and custom Lambda rotation functions.
  • Secrets Manager vs Systems Manager Parameter Store
    • Secrets Manager supports automatic rotation while SSM Parameter Store does not.
    • Parameter Store is cost-effective as compared to Secrets Manager.
  • Amazon GuardDuty
    • is a threat detection service that continuously monitors the AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
    • supports CloudTrail S3 data events and management event logs, DNS logs, EKS audit logs, VPC flow logs, RDS login activity, Lambda network activity, and Runtime Monitoring.
    • GuardDuty Malware Protection scans EBS volumes attached to EC2 instances and container workloads for malware.
    • GuardDuty Malware Protection for S3 scans newly uploaded objects in S3 buckets.
    • GuardDuty Runtime Monitoring provides runtime threat detection for EC2, EKS, ECS/Fargate workloads.
    • GuardDuty Extended Threat Detection uses AI/ML to correlate findings into attack sequences for EC2 and ECS.
  • Amazon Inspector
    • is an automated vulnerability management service that continuously scans AWS workloads for software vulnerabilities and unintended network exposure.
    • automatically discovers and scans EC2 instances, container images in ECR, and Lambda functions.
    • calculates a contextualized risk score using CVE information, network access, and exploitability.
    • supports code scanning (SAST, SCA) and Infrastructure as Code (IaC) scanning with GitHub/GitLab integration.
  • Amazon Detective
    • makes it easier to analyze, investigate, and quickly identify the root cause of security findings or suspicious activities.
    • automatically collects log data from AWS resources and uses machine learning, statistical analysis, and graph theory.
    • integrates with GuardDuty findings, Security Hub, and Security Lake.
    • supports automated IAM investigations to determine if a principal is involved in a security event.
    • can access up to a year of historical event data with visualizations.
  • Amazon Macie
    • is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in S3.
    • can detect PII, financial data, credentials, and custom data identifiers.
  • Amazon Security Lake
    • automatically centralizes security data from AWS environments, SaaS providers, on-premises, and cloud sources into a purpose-built data lake.
    • uses the Open Cybersecurity Schema Framework (OCSF) to normalize and standardize security data.
    • natively collects CloudTrail management events, VPC Flow Logs, Route 53 Resolver query logs, and Security Hub findings.
    • integrates with Amazon Athena, OpenSearch, and third-party SIEM tools for analysis.
    • is explicitly tested in SCS-C03 Domain 1 (Detection) for creating metrics and dashboards to detect anomalous data.
  • AWS Artifact is a central resource for compliance-related information that provides on-demand access to AWS’ security and compliance reports and select online agreements.
  • AWS Shield & Shield Advanced
    • for DDoS protection and integrates with Route 53, CloudFront, ALB, and Global Accelerator.
  • AWS WAF
    • protects from common attack techniques like SQL injection and XSS.
    • integrates with CloudFront, ALB, API Gateway, AppSync, Cognito User Pools, App Runner, and Verified Access.
    • supports Web ACLs and can block traffic based on IPs, Rate limits, and specific countries.
    • supports managed rule groups from AWS and AWS Marketplace sellers (including third-party WAF rules for SCS-C03).
    • logs can be sent to CloudWatch Logs, S3 bucket, or Kinesis Data Firehose.
  • AWS Security Hub
    • is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation.
    • consolidates findings from GuardDuty, Inspector, Macie, Firewall Manager, IAM Access Analyzer, and third-party tools.
    • supports security standards: AWS Foundational Security Best Practices, CIS AWS Foundations Benchmark, PCI DSS.
  • AWS Network Firewall is a stateful, fully managed, network firewall and intrusion detection and prevention service (IDS/IPS) for VPCs.
  • AWS Resource Access Manager helps you securely share your resources across AWS accounts, within your organization or organizational units (OUs).
  • AWS Audit Manager to map your compliance requirements to AWS usage data with prebuilt and custom frameworks and automated evidence collection.
  • Amazon Cognito esp. User Pools and Identity Pools for authentication and authorization.
  • AWS Firewall Manager helps centrally configure and manage firewall rules across accounts and applications in AWS Organizations which includes WAF, Shield Advanced, VPC security groups, Network Firewall, and Route 53 Resolver DNS Firewall.

Networking & Content Delivery

  • Virtual Private Cloud – VPC
    • Security Groups, NACLs
      • NACLs are stateless, Security groups are stateful
      • NACLs at subnet level, Security groups at the instance level
      • NACLs need to open ephemeral ports for response traffic.
    • VPC Gateway Endpoints to provide access to S3 and DynamoDB
    • VPC Interface Endpoints or PrivateLink provide access to a variety of services like SQS, Kinesis, or Private APIs exposed through NLB.
    • VPC Peering
      • to enable communication between VPCs within the same or different regions.
      • Route tables need to be configured on either VPC for them to be able to communicate.
    • VPC Flow Logs help capture information about the IP traffic going to and from network interfaces in the VPC.
    • NAT Gateway provides managed NAT service with high availability and bandwidth.
    • VPC Network Access Analyzer helps identify unintended network access to resources by analyzing network reachability conditions.
  • AWS Verified Access
    • provides secure, VPN-less access to corporate applications using Zero Trust principles.
    • evaluates each request based on user identity and device health rather than network location.
    • uses Cedar policy language for fine-grained access policies.
    • supports HTTP/HTTPS applications and non-HTTP(S) protocols (SSH, RDP, JDBC/ODBC) since 2025.
    • integrates with identity providers and device trust providers.
    • is in-scope for SCS-C03 under Networking and Content Delivery.
  • Virtual Private Network – VPN & Direct Connect to establish connectivity between an on-premises data center and VPC.
    • IPSec VPN over Direct Connect to provide secure connectivity.
    • AWS Site-to-Site VPN is in-scope for SCS-C03.
  • AWS Transit Gateway
    • acts as a hub to connect VPCs and on-premises networks through a central gateway.
    • is in-scope for SCS-C03 for network security design patterns.
  • CloudFront
  • Route 53
    • is a highly available and scalable DNS web service.
    • Resolver Query logging logs queries from VPCs, on-premises resources using inbound/outbound resolvers. Can be logged to CloudWatch Logs, S3, and Kinesis Data Firehose.
    • Route 53 DNSSEC secures DNS traffic and helps protect from DNS spoofing attacks.
    • Route 53 Resolver DNS Firewall allows filtering and regulating outbound DNS traffic for VPCs.
  • Elastic Load Balancer
    • End to End encryption
      • NLB with TCP listener as pass through and terminating SSL on the EC2 instances
      • ALB with SSL termination and HTTPS between ALB and EC2 instances
  • Gateway Load Balancer – GWLB
    • helps deploy, scale, and manage virtual appliances, such as firewalls, IDS/IPS systems, and deep packet inspection systems.

Management & Governance Tools

  • CloudWatch
    • CloudWatch Logs
      • CloudWatch Logs data protection policies can automatically mask sensitive data (PII, credentials) in log events (new in SCS-C03).
    • CloudWatch Subscription Filters and their integration with other services.
    • EventBridge (formerly CloudWatch Events) for real-time event-driven security automation.
  • CloudTrail for audit and governance
    • CloudTrail can be enabled for all regions and supports log file integrity validation.
    • With Organizations, the trail can be configured to log CloudTrail from all accounts to a central account.
    • CloudTrail Lake provides a managed data lake for querying CloudTrail events using SQL. In-scope for SCS-C03.
    • CloudTrail Insights detects unusual operational activity in your account.
  • AWS Config
    • AWS Config rules can alert for any changes and check the history of changes. Can check approved AMIs compliance.
    • allows remediation of noncompliant resources using AWS Systems Manager Automation documents.
    • AWS Config → EventBridge → Lambda/SNS
  • CloudTrail vs Config
    • CloudTrail provides the WHO and Config provides the WHAT.
  • Systems Manager
    • Parameter Store provides secure, scalable, centralized, hierarchical storage for configuration data and secret management.
    • Systems Manager Patch Manager helps select and deploy operating system and software patches across EC2 or on-premises instances.
    • Systems Manager Run Command provides safe, secure remote management of instances at scale.
    • Session Manager provides secure and auditable instance management without opening inbound ports or managing SSH keys.
  • AWS Organizations
    • is an account management service for consolidating multiple AWS accounts into a centrally managed organization.
    • can configure Organization Trail to centrally log all CloudTrail logs.
    • Service Control Policies (SCPs)
      • act as guardrails and specify the services and actions that users and roles can use.
      • are similar to IAM permission policies except that they don’t grant any permissions.
    • Resource Control Policies (RCPs) — new policy type that controls maximum permissions on resources in your organization.
  • AWS Trusted Advisor
    • inspects the AWS environment to make recommendations for performance, cost savings, availability, and security.
  • CloudFormation
    • Deletion Policy to prevent, retain, or backup RDS, EBS Volumes.
    • Stack policy can prevent stack resources from being unintentionally updated or deleted during a stack update.
  • Control Tower
    • to setup, govern, and secure a multi-account environment.
    • strongly recommended guardrails cover EBS encryption.

Storage & Databases

Compute

  • EC2 access using IAM Role, Lambda using the Execution role & ECS using the Task role.
  • EC2 Instance Metadata Service version 2 (IMDSv2) and enforcement of the same. IMDSv2 uses session-oriented requests to protect against SSRF attacks.
  • EC2 Image Builder for creating hardened AMIs and container images with embedded security controls (in-scope for SCS-C03).
  • Amazon EKS security — Pod security, IRSA (IAM Roles for Service Accounts), EKS Pod Identity.

Generative AI Security (New in SCS-C03)

  • Amazon Bedrock Security
    • Bedrock Guardrails to filter harmful content, prevent prompt injection, and enforce responsible AI policies.
    • Data encryption at rest and in transit for model interactions.
    • VPC endpoints for private connectivity to Bedrock.
    • IAM policies for fine-grained access control to foundation models.
  • GenAI OWASP Top 10 for LLM Applications — SCS-C03 explicitly tests implementing protections against LLM vulnerabilities including prompt injection, data leakage, and insecure output handling.
  • Amazon Q security — access controls, data permissions, and guardrails for Q Business and Q Developer.

Integration Tools

  • Know how CloudWatch integration with SNS and Lambda can help in notification and automated remediation.
  • Amazon SNS message data protection can mask or block sensitive data in messages (in-scope for SCS-C03 data protection).

Whitepapers and Articles

On the Exam Day

  • Make sure you are relaxed and get some good night’s sleep. The exam is not tough if you are well-prepared.
  • If you are taking the AWS Online exam
    • Try to join at least 30 minutes before the actual time as there can be long wait times.
    • The online verification process does take some time and usually, there are glitches.
    • Remember, you would not be allowed to take the exam if you are late by more than 30 minutes.
    • Make sure you have your desk clear, no hand-watches, or external monitors, keep your phones away, and nobody can enter the room.

Finally, All the Best 🙂

AWS Certified Solutions Architect – Professional (SAP-C02) Exam Learning Path

AWS Certified Solutions Architect - Professional Exam Certificate

AWS Certified Solutions Architect – Professional (SAP-C02) Exam Learning Path

  • AWS Certified Solutions Architect – Professional (SAP-C02) exam is the upgraded pattern of the previous Solution Architect – Professional SAP-C01 exam and was released in Nov. 2022.
  • SAP-C02 is quite similar to SAP-C01 but has included some new services.
  • SAP-C02 remains the current version as of 2026 — AWS has not announced a successor exam version.

AWS Certified Solutions Architect – Professional (SAP-C02) Exam Content

  • AWS Certified Solutions Architect – Professional (SAP-C02) exam validates the ability to complete tasks within the scope of the AWS Well-Architected Framework
    • Design for organizational complexity
    • Design for new solutions
    • Continuously improve existing solutions
    • Accelerate workload migration and modernization

Refer to AWS Certified Solutions Architect – Professional Exam Guide

AWS Certified Solutions Architect - Professional Exam Domains

AWS Certified Solutions Architect – Professional (SAP-C02) Exam Resources

AWS Certified Solutions Architect – Professional (SAP-C02) Exam Summary

  • Professional exams are tough, lengthy, and tiresome. Most of the questions and answers options have a lot of prose and a lot of reading that needs to be done, so be sure you are prepared and manage your time well.
  • Each solution involves multiple AWS services.
  • AWS Certified Solutions Architect – Professional (SAP-C02) exam has 65 questions to be solved in 170 minutes.
  • SAP-C02 exam includes two types of questions, multiple-choice and multiple-response.
  • SAP-C02 has a scaled score between 100 and 1,000. The scaled score needed to pass the exam is 750.
  • Each question mainly touches multiple AWS services.
  • Professional exams currently cost $ 300 + tax.
  • You can get an additional 30 minutes if English is your second language by requesting Exam Accommodations. It might not be needed for Associate exams but is helpful for Professional and Specialty ones.
  • As always, mark the questions for review and move on and come back to them after you are done with all.
  • As always, having a rough architecture or mental picture of the setup helps focus on the areas that you need to improve. Trust me, you will be able to eliminate 2 answers for sure and then need to focus on only the other two. Read the other 2 answers to check the difference area and that would help you reach the right answer or at least have a 50% chance of getting it right.
  • AWS exams can be taken either remotely or online, I prefer to take them online as it provides a lot of flexibility. Just make sure you have a proper place to take the exam with no disturbance and nothing around you.
  • Also, if you are taking the AWS Online exam for the first time try to join at least 30 minutes before the actual time as I have had issues with both PSI and Pearson with long wait times.

AWS Certified Solutions Architect – Professional (SAP-C02) Exam Topics

AWS Certified Solutions Architect – Professional (SAP-C02) focuses a lot on concepts and services related to Architecture & Design, Scalability, High Availability, Disaster Recovery, Migration, Security, and Cost Control.

Storage

  • Simple Storage Service – S3
    • S3 Permissions & S3 Data Protection
      • S3 bucket policies to control access to VPC Endpoints and provide cross-account access.
    • S3 Storage Classes & Lifecycle policies
      • covers S3 Standard, Infrequent access, intelligent tier, and Glacier for archival and object transitions & deletions for cost management.
      • S3 Express One Zone (launched Nov 2023) — a high-performance storage class that delivers up to 10x faster data access with single-digit millisecond latency. Ideal for frequently accessed data and latency-sensitive workloads. Data is stored in a single Availability Zone.
    • S3 Performance
    • S3 Security
      • S3 supports encryption using KMS
      • S3 supports Object Lock and Glacier supports Vault lock to prevent the deletion of objects, especially required for compliance requirements.
      • CORS allows client web applications loaded in one domain access to the restricted resources to be requested from another domain.
    • S3 supports the same and cross-region replication for disaster recovery.
    • S3 Access Logs enable tracking access requests to an S3 bucket.
    • supports S3 Select feature to query selective data from a single object.
    • S3 Event Notification enables notifications to be triggered when certain events happen in the bucket and support SNS, SQS, Lambda, and EventBridge as the destination.
  • Elastic Block Store
    • EBS Backup using snapshots for HA and Disaster recovery
    • Data Lifecycle Manager can be used to automate the creation, retention, and deletion of snapshots taken to back up the EBS volumes.
  • Storage Gateway
    • supports File Gateways and Volume Gateways
    • File Gateways provides a file interface into S3 and allows storing and retrieving of objects in S3 using industry-standard file protocols such as NFS and SMB.
  • Elastic File System – EFS
    • provides fully managed, scalable, serverless, shared, and cost-optimized file storage for use with AWS and on-premises resources.
    • supports cross-region replication for disaster recovery
    • supports storage classes like S3
    • supports only Linux-based AMIs
  • AWS Transfer Family
    • provides a secure transfer service (FTP, SFTP, FTPs) that helps transfer files into and out of AWS storage services.
    • supports transferring data from or to S3 and EFS.
  • FSx for Lustre
    • managed, cost-effective service to launch and run the HPC high-performance Lustre file system.
  • FSx for Windows File Server
    • fully managed Windows native file system built on Windows Server with full SMB support.
    • supports Multi-AZ deployment for high availability.
  • AWS Backup
    • centrally manage and automate backups across AWS services including EBS, RDS, DynamoDB, EFS, FSx, and S3.
    • supports cross-region and cross-account backup for disaster recovery.
    • AWS Backup Vault Lock provides WORM (Write-Once-Read-Many) protection for compliance.
  • Understand different use cases for S3 vs EBS vs EFS

Database

  • DynamoDB
    • provides a fully managed NoSQL database service with fast and predictable performance with seamless scalability.
    • supports following capacity modes
      • Provisioned – the maximum amount of capacity in terms of reads/writes per second that an application can consume from a table or index
      • On-demand – serves thousands of requests per second without capacity planning.
    • DynamoDB Auto Scaling can be used to handle peaks or bursts.
    • DynamoDB Streams for tracking changes
    • TTL to expire objects automatically and cost-effectively.
    • Global tables for multi-master, active-active inter-region storage needs.
    • Global tables do not support strong global consistency
    • DynamoDB Accelerator – DAX for seamless caching to reduce the load on DynamoDB for read-heavy requirements.
  • RDS
    • supports cross-region read replicas ideal for disaster recovery with low RTO and RPO.
    • provides RDS proxy for effective database connection pooling
    • RDS Multi-AZ vs Read Replicas
    • RDS Blue/Green Deployments — enables safer database updates by creating a staging environment (green) that mirrors the production environment (blue), allowing testing before switchover with minimal downtime.
  • Aurora
    • fully managed, MySQL- and PostgreSQL-compatible, relational database engine
    • Aurora Serverless provides on-demand, autoscaling configuration (Aurora Serverless v2 is the current version with instant scaling).
    • Aurora Global Database consists of one primary AWS Region where the data is mastered, and up to five read-only, secondary AWS Regions.
    • Aurora PostgreSQL Limitless Database (GA Oct 2024) — enables horizontal scaling beyond a single writer instance, supporting millions of write transactions per second and petabytes of data while maintaining transactional consistency.
  • Amazon Aurora DSQL (GA May 2025)
    • serverless, distributed SQL database with active-active high availability and multi-Region strong consistency.
    • provides virtually unlimited scale with zero infrastructure management.
    • ideal for always-available applications requiring strong consistency across regions (unlike DynamoDB Global Tables which offer eventual consistency).
  • Understand DynamoDB Global Tables vs Aurora Global Databases
  • DocumentDB as a replacement for MongoDB
  • Keyspaces as a replacement for Cassandra
  • ElastiCache for in-memory caching (Redis or Memcached)

Data Migration & Transfer

  • Cloud Migration Services
    • Cloud Migration (hint: make sure you understand the difference between rehost, replatform, and rearchitect)
    • AWS Application Migration Service (MGN) — the primary migration service for lift-and-shift migrations to AWS (replaced the deprecated AWS Server Migration Service).
      • ⚠️ Note: AWS Server Migration Service (SMS) was deprecated in March 2022. Use AWS Application Migration Service (MGN) instead.
      • MGN now operates as part of AWS Transform (launched May 2025) for automated replication, conversion, and cutover.
    • Database Migration Service
      • enables quick and secure data migration with minimal to zero downtime
      • supports Full and Change Data Capture – CDC migration to support continuous replication for zero downtime migration.
      • homogeneous migrations such as Oracle to Oracle, as well as heterogeneous migrations (using SCT) between different database platforms, such as Oracle or Microsoft SQL Server to Aurora.
    • Snow Family
      • Ideal for one-time huge data transfers usually for use cases with limited bandwidth from on-premises to AWS.
    • Understand use cases for data transfer using VPN (quick, slow, uses the Internet), Direct Connect (time to set up, private, recurring transfers), Snow Family (moderate time, private, one-time huge data transfers)
  • Application Discovery Service
    • ⚠️ Note: Application Discovery Service is closed to new customers as of November 7, 2025. Use AWS Transform for discovery and migration planning instead.
    • Agent-based can be used for Hyper-V and physical servers
    • Discovery Connector (agentless for VMware) was deprecated November 17, 2025.
  • AWS Transform (launched May 2025)
    • next-generation migration and modernization service replacing AWS Migration Hub (closed to new customers Nov 7, 2025).
    • uses AI-driven automation with specialized agents for discovery, planning, and execution.
    • provides a central location to plan, track, and execute migrations to AWS.
  • AWS DataSync
    • automated data transfer service for moving data between on-premises storage and AWS (S3, EFS, FSx).
    • supports scheduled transfers and data validation.
    • ideal for ongoing, recurring data transfers (vs. Snow Family for one-time bulk transfers).

Networking & Content Delivery

  • VPC – Virtual Private Cloud
    • Security Groups, NACLs
      • NACLs are stateless and need to open ephemeral ports for response traffic.
    • VPC Gateway Endpoints to provide access to S3 and DynamoDB
    • VPC Interface Endpoints or PrivateLink provide access to a variety of services like SQS, Kinesis, or Private APIs exposed through NLB.
    • VPC Peering to enable communication between VPCs within the same or different regions.
    • VPC Peering does not support overlapping CIDRs while PrivateLink does as only the endpoint is exposed.
    • VPC Flow Logs to track network traffic
    • NAT Gateway provides managed NAT service that provides better availability, higher bandwidth, and requires less administrative effort.
  • Amazon VPC Lattice
    • application-level networking service for service-to-service communication across VPCs and accounts.
    • removes the NLB requirement imposed by PrivateLink, supports cross-VPC/cross-account connectivity without CIDR coordination.
    • uses IAM for service-to-service authorization (replaces network-level controls with identity-based access).
    • supports HTTP, HTTPS, gRPC, TLS, and TCP protocols.
    • integrates with ECS, EKS, EC2, and Lambda as targets.
  • Route 53
    • Routing Policies
      • focus on Weighted, Latency, and failover routing policies
      • failover routing provides active-passive configuration for disaster recovery while the others are active-active configurations.
    • Route 53 Resolver
      • Outbound endpoint for AWS -> On-premises DNS query resolution
      • Inbound endpoint for On-premises DNS query resolution
  • CloudFront
    • fully managed, fast CDN service that speeds up the distribution of static, dynamic web or streaming content to end-users.
    • supports Origin Groups for multiple origins providing failover capability with primary and secondary origins.
    • does not support Auto Scaling as an origin
    • supports Geo-restriction
    • supports Lambda@Edge and CloudFront Functions to execute code closer to the user.
    • Lambda@Edge can be used for quick auth checks, and redirect users based on request data.
    • Security can be enhanced by whitelisting CloudFront IPs or adding a custom header in CloudFront and verifying it in ALB.
  • API Gateway
    • supports throttling, caching and helps define usage plans with API keys to identify clients
    • provides regional and edge-optimized endpoint types
    • supports CORS for cross-domain calls.
    • supports authentication mechanisms, such as AWS IAM policies, Lambda authorizer functions, and Amazon Cognito user pools.
    • provide serverless architecture with Lambda.
  • Load Balancer – ELB, ALB and NLB
  • Global Accelerator
    • optimizes the path to applications to keep packet loss, jitter, and latency consistently low.
    • helps improve the performance of the applications by lowering first-byte latency
    • provides 2 static IP addresses
    • does not preserve the client’s IP address with NLB
  • Transit Gateway
    • is a network transit hub that can be used to interconnect VPCs and on-premises networks via Direct Connect or VPN.
    • Transit Gateway is regional and Transit Gateway Peering needs to be configured to peer regional Transit gateways.
  • AWS Cloud WAN
    • managed wide area network (WAN) service for building and operating global networks connecting data centers, branches, and VPCs.
    • uses a declarative core network policy for defining network intent (segments, routing, access control).
    • replaces the legacy Transit VPC architecture with built-in automation, segmentation, and centralized management.
    • supports Service Insertion for integrating inspection appliances (e.g., Network Firewall).
    • managed within AWS Network Manager.
  • Placement Groups
    • Cluster placement group with Enhanced Networking for HPC
    • Spread placement group for fault tolerance and high availability.
  • Direct Connect & VPN
    • provide on-premises to AWS connectivity
    • Understand Direct Connect vs VPN
    • VPN can provide a cost-effective, quick failover for Direct Connect.
    • VPN over Direct Connect provides a secure dedicated connection and requires a public virtual interface.
    • Direct Connect Gateway is a global network device that helps establish connectivity that spans VPCs spread across multiple AWS Regions with a single Direct Connect connection.

Security, Identity & Compliance

  • AWS Identity and Access Management
  • AWS Shield & Shield Advanced
    • for DDoS protection and integrates with Route 53, CloudFront, ALB, and Global Accelerator.
  • AWS WAF
    • protects from common attack techniques like SQL injection and XSS, Conditions based include IP addresses, HTTP headers, HTTP body, and URI strings.
    • integrates with CloudFront, ALB, API Gateway, and AppSync.
    • supports Web ACLs and can block traffic based on IPs, Rate limits, and specific countries as well.
  • AWS Network Firewall
    • managed network firewall service for VPC-level traffic inspection and filtering.
    • provides stateful and stateless inspection, intrusion prevention, and web filtering.
    • integrates with AWS Firewall Manager for centralized management across accounts.
    • commonly used with Transit Gateway for centralized traffic inspection architecture.
  • AWS Verified Access
    • provides secure, VPN-less access to corporate applications using Zero Trust principles.
    • evaluates each access request based on user identity and device security state.
    • supports HTTP/HTTPS and non-HTTP(S) protocols (SSH, RDP, JDBC — GA Feb 2025).
    • eliminates the need for traditional VPN infrastructure for application access.
  • ACM – AWS Certificate Manager
    • helps easily provision, manage, and deploy public and private SSL/TLS certificates
    • is regional and you need to request certificates in all regions and associate individually in all regions.
    • does not provide certificates for EC2 instances.
  • AWS KMS – Key Management Service
    • managed encryption service that allows the creation and control of encryption keys to enable data encryption.
    • KMS Multi-region keys
      • are AWS KMS keys in different AWS Regions that can be used interchangeably – as though having the same key in multiple Regions.
      • are not global and each multi-region key needs to be replicated and managed independently.
  • Secrets Manager
    • helps protect secrets needed to access applications, services, and IT resources.
    • Secrets Manager vs SSM Parameter Store.
      • Secrets Manager supports random generation and automatic rotation of secrets, which is not provided by SSM Parameter Store.
      • Costs more than SSM Parameter Store.
  • Amazon Macie is a data security and data privacy service that uses ML and pattern matching to discover and protect sensitive data in S3.
  • AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation.
  • Amazon GuardDuty — intelligent threat detection service that monitors for malicious activity and unauthorized behavior across AWS accounts.
  • Amazon Inspector — automated vulnerability management service that continually scans workloads for software vulnerabilities and unintended network exposure.

Compute

  • EC2
  • Auto Scaling provides the ability to ensure a correct number of EC2 instances are always running to handle the load of the application
  • Lambda
    • offers Serverless computing
    • Lambda running in VPC requires NAT Gateway to communicate with external public services
    • Lambda CPU can be increased by increasing memory only.
    • helps define reserved concurrency limits to reduce the impact
    • Lambda Alias now supports canary deployments
    • Lambda supports docker containers
    • Reserved Concurrency guarantees the maximum number of concurrent instances for the function
    • Provisioned Concurrency provides greater control over the performance of serverless applications and helps keep functions initialized and hyper-ready to respond in double-digit milliseconds.
    • Lambda SnapStart (GA for Python and .NET in Nov 2024) — reduces cold start latency by up to 10x by taking a snapshot of the initialized execution environment. Supports Java, Python, and .NET runtimes.
    • Lambda Response Streaming — enables progressive streaming of response payloads back to clients (supports up to 200 MB payloads). Ideal for generative AI and real-time data processing.
    • Lambda Best Practices esp. handling the database connection code.
  • Step Functions helps developers use AWS services to build distributed applications, automate processes, orchestrate microservices, and create data and machine learning (ML) pipelines.
  • ECS – Elastic Container Service
    • container management service that supports Docker containers
    • supports two launch types
      • EC2 and
      • Fargate which provides the serverless capability
    • ECS Managed Instances (launched 2025) — new compute option between EC2 and Fargate, offering more control than Fargate (GPU support, privileged containers, higher memory) with less management than self-managed EC2.
    • ECS now supports native blue/green, linear, and canary deployment strategies without requiring AWS CodeDeploy.
    • For least privilege, the role should be assigned to the Task.
    • awsvpc network mode gives ECS tasks the same networking properties as EC2 instances.
  • Amazon EKS (Elastic Kubernetes Service)
    • managed Kubernetes service for running containerized workloads at scale.
    • supports EC2, Fargate, and EKS Anywhere (for on-premises/hybrid deployments).
    • in-scope for SAP-C02; understand when to use ECS vs EKS (EKS for Kubernetes portability, ECS for simpler AWS-native container orchestration).

Disaster Recovery

  • Disaster Recovery whitepaper, although outdated, make sure you understand the differences and implementation for each type esp. pilot light, warm standby w.r.t RTO, and RPO.
  • AWS Elastic Disaster Recovery (DRS)
    • minimizes downtime and data loss with fast, reliable recovery of on-premises and cloud-based applications.
    • uses continuous block-level replication and point-in-time recovery.
    • provides RPO in seconds and RTO in minutes.
    • supports DR drills without impacting source servers.
    • now supports AWS Outposts for on-premises DR scenarios.
  • Compute
    • Make components available in an alternate region,
    • Backup and Restore using either snapshots or AMIs that can be restored.
    • Use minimal low-scale capacity running which can be scaled once the failover happens
    • Use fully running compute in active-active configuration with health checks.
    • CloudFormation to create, and scale infra as needed
  • Storage
    • S3 and EFS support cross-region replication
    • DynamoDB supports Global tables for multi-master, active-active inter-region storage needs.
    • Aurora Global Database provides cross-region read replicas and failover capabilities.
    • Aurora DSQL provides active-active multi-Region strong consistency for always-available applications.
    • RDS supports cross-region read replicas which can be promoted to master in case of a disaster. This can be done using Route 53, CloudWatch, and lambda functions.
  • Network
    • Route 53 failover routing with health checks to failover across regions.
    • CloudFront Origin Groups support primary and secondary endpoints with failover.

Management & Governance tools

  • AWS Organizations
  • Systems Manager
    • AWS Systems Manager and its various services like parameter store, patch manager
    • Parameter Store provides secure, scalable, centralized, hierarchical storage for configuration data and secret management. Does not support secrets rotation. Use Secrets Manager instead
    • Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.
    • Patch Manager helps automate the process of patching managed instances with both security-related and other types of updates.
  • CloudWatch
  • Amazon EventBridge (formerly CloudWatch Events)
    • EventBridge is the evolution of CloudWatch Events with additional features like Schema Registry, EventBridge Pipes, and SaaS partner integrations.
    • New features are only added to EventBridge, not CloudWatch Events.
    • supports event-driven architectures, scheduled rules, and cross-account/cross-region event routing.
  • CloudTrail
    • for audit and governance
    • With Organizations, the trail can be configured to log CloudTrail from all accounts to a central account.
  • CloudFormation
    • Handle disaster Recovery by automating the infra to replicate the environment across regions.
    • Deletion Policy to prevent, retain, or backup RDS, EBS Volumes
    • Stack policy can prevent stack resources from being unintentionally updated or deleted during a stack update. Stack Policy only applies for Stack updates and not stack deletion.
    • StackSets helps to create, update, or delete stacks across multiple accounts and Regions with a single operation.
  • Control Tower
    • to setup, govern, and secure a multi-account environment
    • strongly recommended guardrails cover EBS encryption
    • Landing Zone v4.0 (2025) — modular design allowing selective enablement of CloudTrail, Config, and Backup integrations. No longer enforces a mandatory Security OU structure.
    • Controls Dedicated experience (Nov 2025) — allows using 750+ managed controls without deploying a full Control Tower landing zone.
    • supports automatic enrollment of accounts when moved to an Organizational Unit.
  • Service Catalog
    • allows organizations to create and manage catalogues of IT services that are approved for use on AWS with minimal permissions.
  • Trusted Advisor
    • helps with cost optimization and service limits in addition to security, performance and fault tolerance.
  • Compute Optimizer recommends optimal AWS resources for the workloads to reduce costs and improve performance by using machine learning to analyze historical utilization metrics.
  • AWS Budgets to see usage-to-date and current estimated charges from AWS, set limits and provide alerts or notifications.
  • Cost Allocation Tags can be used to organize AWS resources, and cost allocation tags to track the AWS costs on a detailed level.
  • Cost Explorer helps visualize, understand, manage and forecast the AWS costs and usage over time.
  • Amazon WorkSpaces provides a virtual workspace for varied worker types, especially hybrid and remote workers.

Integration Tools

  • SQS in terms of loose coupling and scaling.
    • Difference between SQS Standard and FIFO esp. with throughput and order
    • SQS supports dead letter queues
  • EventBridge integration with SNS and Lambda for notifications and event-driven workflows.
  • Amazon EventBridge Pipes — point-to-point integration between event sources and targets with optional filtering and transformation, without writing Lambda functions.

Analytics

  • Kinesis
  • Amazon Data Firehose (formerly Kinesis Data Firehose, renamed Feb 2024)
    • the easiest way to capture, transform, and deliver data streams.
    • integrates with S3, Redshift, OpenSearch, Splunk, Snowflake, and other 3rd-party analytics services.
  • OpenSearch Service (formerly Elasticsearch) provides a managed search and analytics solution.
    • OpenSearch Serverless — serverless option with scale-to-zero capability (next-gen architecture GA May 2026 with up to 60% cost savings).
    • supports time-series, search, and vector collections (vector collections used for RAG with Amazon Bedrock knowledge bases).
  • Amazon Timestream is a fast, scalable, and serverless time-series database service that makes it easier to store and analyze trillions of events per day.
  • AWS Glue — serverless ETL service for data preparation and integration.
    • Glue Crawlers auto-discover data schemas and populate the Glue Data Catalog.
    • Glue Data Catalog integrates with Athena, Redshift Spectrum, and EMR for querying.
  • Amazon Athena — serverless interactive query service using standard SQL to analyze data in S3.
  • AWS Lake Formation — simplifies building, securing, and managing data lakes on S3 with fine-grained access control.
  • Amazon Connect is an omnichannel cloud contact center.
  • Amazon Pinpoint is a flexible, scalable marketing communications service that helps connects customers over email, SMS, push notifications or voice
  • Amazon Rekognition offers pre-trained and customizable computer vision capabilities to extract information and insights from images and videos
  • Amazon Transcribe for Voice to Text conversion

Architecture & Design Flows

AWS Architecture Patterns for SAP-C02

End-to-end reference architectures with design decisions tested on this exam:

Additional SAP-C02 Architecture Patterns

Performance & Scaling Architecture Patterns

On the Exam Day

  • Make sure you are relaxed and get some good night’s sleep. The exam is not tough if you are well-prepared.
  • If you are taking the AWS Online exam
    • Try to join at least 30 minutes before the actual time as I have had issues with both PSI and Pearson with long wait times.
    • The online verification process does take some time and usually, there are glitches.
    • Remember, you would not be allowed to take the exam if you are late by more than 30 minutes.
    • Make sure you have your desk clear, no hand-watches, or external monitors, keep your phones away, and nobody can enter the room.

Finally, All the Best 🙂

AWS Certified Solutions Architect – Associate SAA-C03 Exam Learning Path

AWS Solutions Architect - Associate Certificate

AWS Certified Solutions Architect – Associate SAA-C03 Exam Learning Path

  • I just cleared the AWS Solutions Architect – Associate SAA-C03 exam with a score of 914/1000.
  • AWS Solutions Architect – Associate SAA-C03 exam is the latest AWS exam released on 30th August 2022 and has replaced the previous AWS Solutions Architect – SAA-C02 certification exam.
  • The SAA-C03 exam continues to be the current version as of June 2026, with enhanced focus on modern AWS services, sustainability considerations, and advanced networking capabilities. Note: AWS announced the SAA-C04 revision rolling out in Q2-Q3 2026 with increased emphasis on resilient architecture design and cost optimization. Both SAA-C03 and SAA-C04 versions remain available until September 30, 2026 (grace period).

AWS Solutions Architect – Associate SAA-C03 Exam Content

  • It basically validates the ability to effectively demonstrate knowledge of how to design, architect, and deploy secure, cost-effective, and robust applications on AWS technologies
  • The exam also validates a candidate’s ability to complete the following tasks:
    • Design solutions that incorporate AWS services to meet current business requirements and future projected needs
    • Design architectures that are secure, resilient, high-performing, and cost-optimized
    • Review existing solutions and determine improvements

Refer AWS Solutions Architect – Associate SAA-C03 Exam Guide

AWS Solutions Architect – Associate SAA-C03 Exam Summary

  • SAA-C03 exam consists of 65 questions in 130 minutes, and the time is more than sufficient if you are well-prepared.
  • SAA-C03 exam includes two types of questions, multiple-choice and multiple-response.
  • SAA-C03 has a scaled score between 100 and 1,000. The scaled score needed to pass the exam is 720.
  • Associate exams currently cost $ 150 + tax.
  • The exam includes 50 scored questions and 15 unscored questions (total 65 questions). The unscored questions are used by AWS to evaluate future exam content.
  • You can get an additional 30 minutes if English is your second language by requesting Exam Accommodations. It might not be needed for Associate exams but is helpful for Professional and Specialty ones.
  • AWS exams can be taken either remotely or online, I prefer to take them online as it provides a lot of flexibility. Just make sure you have a proper place to take the exam with no disturbance and nothing around you.
  • Also, if you are taking the AWS Online exam for the first time try to join at least 30 minutes before the actual time as I have had issues with both PSI and Pearson with long wait times.

🆕 SAA-C04 Exam Update (Announced April 2026)

AWS announced the SAA-C04 revision rolling out Q2-Q3 2026 with the following changes:

  • Increased emphasis on resilient architecture design (now 30% of exam content)
  • Enhanced cost optimization strategies coverage
  • AI/GenAI awareness – Generative AI competency embedded at Professional level; Associate remains focused on core architectural skills
  • Grace period: Both SAA-C03 and SAA-C04 versions active until September 30, 2026

Exam delivery updates (April 2026):

  • AI-assisted identity verification for remote proctoring
  • Score reporting reduced to under 24 hours (from 1-5 business days)
  • ESL exam duration extensions now automatically applied (no separate accommodation request needed in the US)

AWS Solutions Architect – Associate SAA-C03 Exam Resources

AWS Solutions Architect – Associate SAA-C03 Exam Topics

  • SAA-C03 Exam covers the design and architecture aspects in deep, so you must be able to visualize the architecture, even draw them out or prepare a mental picture just to understand how it would work and how different services relate.
  • SAA-C03 exam concepts cover solutions that fall within AWS Well-Architected framework to cover scalable, highly available, cost-effective, performant, and resilient pillars.
  • If you had been preparing for the SAA-C02, SAA-C03 is pretty much similar to SAA-C02 except for the addition of some new services Aurora Serverless, AWS Global Accelerator, FSx for Windows, and FSx for Lustre.
  • New services and features added to exam scope include VPC Lattice, VPC IP Address Manager (IPAM), AWS Network Firewall, Amazon Verified Permissions, and enhanced focus on sustainability and cost optimization.

⚠️ IMPORTANT: AWS SERVICES DEPRECATED / MAINTENANCE MODE

Several AWS services have been deprecated or moved to maintenance mode (updated June 2026):

  • AWS App Mesh – End of support September 30, 2026. Migrate to Amazon VPC Lattice or ECS Service Connect
  • AWS App Runner – Moved to maintenance mode (April 30, 2026). No longer accepting new customers. Consider ECS Fargate, Lambda, or EKS
  • Amazon RDS Custom for Oracle – Entering sunset; end of support March 31, 2027. Migrate to Amazon RDS for Oracle or self-managed EC2
  • Amazon Cloud9 – No longer accepting new customers (July 2024). Use local IDEs with AWS Toolkit or AWS CloudShell
  • AWS CloudTrail Lake – Moved to maintenance mode (May 31, 2026). Use CloudWatch Logs Insights or S3 + Athena

Note: AWS CodeCommit was temporarily de-emphasized in July 2024 but returned to full General Availability in November 2025.

This post has been updated to reflect these changes and include migration guidance.

Networking

  • Virtual Private Network – VPC
    • Create a VPC from scratch with public, private, and dedicated subnets with proper route tables, security groups, and NACLs.
    • Understand what a CIDR is and address patterns.
    • Subnets are public or private depending on whether they can route traffic directly through an Internet gateway
    • Understand how communication happens between the Internet, Public subnets, Private subnets, NAT, Bastion, etc.
    • Bastion (also referred to as a Jump server) can be used to securely access instances in the private subnets.
    • Create two-tier architecture with application in public and database in private subnets
    • Create three-tier architecture with web servers in public, application, and database servers in private. (hint: focus on security group configuration with least privilege)
  • NEW 2025: VPC IP Address Manager (IPAM)
    • Centrally manage and monitor IP addresses across AWS accounts and regions
    • Automate IP address assignments and prevent IP address conflicts
    • Provides visibility into IP address utilization and helps with compliance
    • Essential for large-scale, multi-account AWS deployments
  • Amazon VPC Lattice
    • Application networking service that connects, secures, and monitors service-to-service communications
    • Simplifies microservices connectivity across VPCs, accounts, and compute types
    • Provides Layer 7 load balancing, service discovery, and traffic management
    • Replaces complex service mesh configurations with managed service
    • Ideal migration path from deprecated AWS App Mesh
  • AWS Network Firewall
    • Managed, stateful firewall service for VPC protection
    • Provides deep packet inspection (DPI) and intrusion prevention
    • Supports custom rules and AWS managed threat intelligence
    • Integrates with AWS Firewall Manager for centralized management
    • Essential for compliance and advanced threat protection
  • Security Groups and NACLs
    • Security Groups are Stateful vs NACLs are stateless.
    • Also, only NACLs provide the ability to deny or block IPs
  • NAT Gateway or Instances
    • help enables instances in a private subnet to connect to the Internet.
    • Understand the difference between NAT Gateway & NAT Instance.
    • NAT Gateway is AWS-managed and is scalable and highly available.
  • VPC endpoints
    • enable the creation of a private connection between VPC to supported AWS services and VPC endpoint services powered by PrivateLink using its private IP address without needing an Internet or NAT Gateway.
    • VPC Gateway Endpoints supports S3 and DynamoDB.
    • VPC Interface Endpoints OR Private Links supports others
  • VPN and Direct Connect for on-premises to AWS connectivity
    • VPN provides a quick, cost-effective, secure channel, however, routes through the internet and does not provide consistent throughput
    • Direct Connect provides consistent, dedicated throughput without Internet, however, requires time to set up and is not cost-effective.
  • Understand Data Migration techniques at a high level
    • VPN and Direct Connect for continuous, frequent data transfers.
    • Snow Family is ideal for one-time, cost-effective huge data transfer.
    • Choose a technique depending on the available bandwidth, data transfer needed, time available, encryption, one-time or continuous.
  • CloudFront
    • fully managed, fast CDN service that speeds up the distribution of static, dynamic web, or streaming content to end-users
    • S3 frontend by CloudFront provides low latency, performant experience for global users.
    • provides static and dynamic caching for both AWS and on-premises origin.
  • Global Accelerator
    • optimizes the path to applications to keep packet loss, jitter, and latency consistently low.
    • helps improve the performance by lowering first-byte latency
    • provides 2 static IP address
  • Know CloudFront vs Global Accelerator
  • Route 53
    • highly available and scalable DNS web service.
    • Health checks and failover routing helps provide resilient and active-passive solutions
    • Route 53 Routing Policies and their use cases (hint: focus on weighted, latency, geolocation, failover routing)
  • Elastic Load Balancer
    • Focus on ALB and NLB
    • Differences between ALB vs NLB
      • ALB is layer 7 vs NLB is layer 4
      • ALB provides content-based, host-based, path-based routing
      • ALB provides dynamic port mapping which allows the same tasks to be hosted on the ECS node
      • NLB provides low latency, the ability to scale rapidly, and a static IP address
      • ALB works with WAF while NLB does not.
    • Gateway Load Balancer – GWLB
      • helps deploy, scale, and manage virtual appliances like firewalls, IDS/IPS, and deep packet inspection systems.

Security

  • Identity Access Management – IAM
    • IAM role
      • provides permissions that are not associated with a particular user, group, or service and are intended to be assumable by anyone who needs it.
      • can be used for EC2 application access and Cross-account access
    • IAM identity providers and federation and use cases – Although did not see much in SAA-C03
  • NEW 2025: Amazon Verified Permissions
    • Centrally manage fine-grained permissions and authorization for applications
    • Uses Cedar policy language for defining access control policies
    • Provides scalable, consistent authorization across microservices
    • Integrates with existing identity providers and AWS services
    • Essential for zero-trust architecture implementations
  • Key Management Services – KMS encryption service
  • AWS WAF
    • integrates with CloudFront, and ALB to provide protection against Cross-site scripting (XSS), and SQL injection attacks.
    • provides IP blocking and geo-protection, rate limiting, etc.
  • AWS Shield
    • managed DDoS protection service
    • integrates with CloudFront, ALB, and Route 53
    • Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks
  • AWS GuardDuty
    • managed threat detection service and provides Malware protection
    • Enhanced with machine learning-based threat detection and integration with Security Hub
  • AWS Inspector
    • is a vulnerability management service that continuously scans the AWS workloads for vulnerabilities
    • Now includes container image scanning and enhanced software vulnerability detection
  • AWS Secrets Manager
    • helps protect secrets needed to access applications, services, and IT resources.
    • supports rotations of secrets, which Systems Manager Parameter Stores does not support.
  • Disaster Recovery whitepaper
    • Be sure you know the different recovery types with impact on RTO/RPO.
    • Enhanced focus on cross-region disaster recovery and automated failover strategies

Storage

  • Understand various storage options S3, EBS, Instance store, EFS, Glacier, FSx, and what are the use cases and anti-patterns for each
  • Instance Store
    • is physically attached to the EC2 instance and provides the lowest latency and highest IOPS
  • Elastic Block Storage – EBS
    • EBS volume types and their use cases in terms of IOPS and throughput. SSD for IOPS and HDD for throughput
    • EBS Snapshots
      • Backups are automated, snapshots are manual
      • Can be used to encrypt an unencrypted EBS volume
    • Multi-Attach EBS feature allows attaching an EBS volume to multiple instances within the same AZ only.
    • EBS fast snapshot restore feature helps ensure that the EBS volumes created from a snapshot are fully-initialized at creation and instantly deliver all of their provisioned performance.
  • Simple Storage Service – S3
    • S3 storage classes with lifecycle policies
      • Understand the difference between SA Standard vs SA IA vs SA IA One Zone in terms of cost and durability
      • New S3 Express One Zone storage class for high-performance workloads
    • S3 Data Protection
      • S3 Client-side encryption encrypts data before storing it in S3
    • S3 features including
      • S3 provides cost-effective static website hosting. However, it does not support HTTPS endpoint. Can be integrated with CloudFront for HTTPS, caching, performance, and low-latency access.
      • S3 versioning provides protection against accidental overwrites and deletions. Used with MFA Delete feature.
      • S3 Pre-Signed URLs for both upload and download provide access without needing AWS credentials.
      • S3 CORS allows cross-domain calls
      • S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket.
      • S3 Event Notifications to trigger events on various S3 events like objects added or deleted. Supports SQS, SNS, and Lambda functions.
      • Integrates with Amazon Macie to detect PII data
      • Replication that supports the same and cross-region replication required versioning to be enabled.
      • Integrates with Athena to analyze data in S3 using standard SQL.
  • ⚠️ NOTE: Amazon S3 Glacier (standalone vault-based API) has been superseded by S3 Glacier storage classes. Use S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, or S3 Glacier Deep Archive with S3 lifecycle policies for archival storage.
  • Storage gateway and its different types.
    • Cached Volume Gateway provides access to frequently accessed data while using AWS as the actual storage
    • Stored Volume gateway uses AWS as a backup, while the data is being stored on-premises as well
    • File Gateway supports SMB protocol
  • FSx is easy and cost-effective to launch and run popular file systems.
    • FSx provides two file systems to choose from:
    • Amazon FSx for Windows File Server
      • works with both Linux and Windows
      • provides Windows File System features including integration with Active Directory.
    • Amazon FSx for Lustre
      • for high-performance workloads
      • works with only Linux
    • FSx for NetApp ONTAP and FSx for OpenZFS now available for additional file system options
  • Elastic File System – EFS
    • simple, fully managed, scalable, serverless, and cost-optimized file storage for use with AWS Cloud and on-premises resources.
    • provides shared volume across multiple EC2 instances, while EBS can be attached to a single instance within the same AZ or EBS Multi-Attach can be attached to multiple instances within the same AZ
    • supports the NFS protocol, and is compatible with Linux-based AMIs
    • supports cross-region replication, storage classes for cost.
  • AWS Transfer Family
    • secure transfer service that helps transfer files into and out of AWS storage services using FTP, SFTP and FTPS protocol.
  • Difference between EBS vs S3 vs EFS
  • Difference between EBS vs Instance Store
  • Would recommend referring Storage Options whitepaper, although a bit dated 90% still holds right

Compute

  • Elastic Cloud Compute – EC2
  • Auto Scaling and ELB
    • Auto Scaling provides the ability to ensure a correct number of EC2 instances are always running to handle the load of the application
    • Elastic Load Balancer allows the incoming traffic to be distributed automatically across multiple healthy EC2 instances
  • Autoscaling & ELB
    • work together to provide High Availability and Scalability.
    • Span both ELB and Auto Scaling across Multi-AZs to provide High Availability
    • Do not span across regions. Use Route 53 or Global Accelerator to route traffic across regions.
  • EC2 Instance Purchase Types – Reserved, Scheduled Reserved, On-demand, and Spot and their use cases
    • Reserved instances provide cost benefits for long terms requirements over On-demand instances for continuous persistent load
    • Scheduled Reserved Instances for load with fixed scheduled and time interval
    • Spot instances provide cost benefits for temporary, fault-tolerant, spiky load
    • Savings Plans now preferred over Reserved Instances for flexibility across instance families
  • EC2 Placement Groups
    • Cluster placement groups provide low latency and high throughput communication
    • Spread placement group provides high availability
    • Partition placement groups for distributed workloads like Hadoop and Cassandra
  • Lambda and serverless architecture, its features, and use cases.
    • Lambda integrated with API Gateway to provide a serverless, highly scalable, cost-effective architecture
    • Enhanced with container image support and improved cold start performance
  • Elastic Container Service – ECS with its ability to deploy containers and microservices architecture.
    • ECS role for tasks can be provided through taskRoleArn
    • ALB provides dynamic port mapping to allow multiple same tasks on the same node.
    • ECS Anywhere allows running containers on-premises
  • Elastic Kubernetes Service – EKS
    • managed Kubernetes service to run Kubernetes in the AWS cloud and on-premises data centers
    • ideal for migration of an existing workload on Kubernetes
    • EKS Anywhere and EKS Distro for hybrid deployments
  • Elastic Beanstalk at a high level, what it provides, and its ability to get an application running quickly.

Databases

  • Understand relational and NoSQL data storage options which include RDS, DynamoDB, and Aurora with their use cases
  • Relational Database Service – RDS
    • Read Replicas vs Multi-AZ
      • Read Replicas for scalability, Multi-AZ for High Availability
      • Multi-AZ are regional only
      • Read Replicas can span across regions and can be used for disaster recovery
    • Understand Automated Backups, underlying volume types (which are the same as EBS volume types)
    • RDS Custom for Oracle⚠️ Entering sunset (end of support March 31, 2027). RDS Custom for SQL Server remains available. For Oracle with OS-level access, consider self-managed EC2 or standard RDS for Oracle.
  • Aurora
    • provides multiple read replicas and replicates 6 copies of data across AZs
    • Aurora Serverless
      • provides a highly scalable cost-effective database solution
      • automatically starts up, shuts down, and scales capacity up or down based on the application’s needs.
      • supports only MySQL and PostgreSQL
      • Aurora Serverless v2 with instant scaling and better cost optimization
    • Aurora Global Database for cross-region disaster recovery
  • DynamoDB
    • provides low latency performance, a key-value store
    • is not a relational database
    • DynamoDB DAX provides caching for DynamoDB
    • DynamoDB TTL helps expire data in DynamoDB without any cost or consuming any write throughput.
    • DynamoDB Standard-IA storage class for cost optimization
  • ElastiCache use cases, mainly for caching performance

Integration Tools

  • Simple Queue Service
    • as message queuing service and SNS as pub/sub notification service
    • as a decoupling service and provide resiliency
    • SQS features like visibility, and long poll vs short poll
    • provide scaling for the Auto Scaling group based on the SQS size.
    • SQS Standard vs SQS FIFO difference
      • FIFO provides exactly-once delivery but with low throughput
  • Simple Notification Service – SNS
    • is a web service that coordinates and manages the delivery or sending of messages to subscribing endpoints or clients
    • Fanout pattern can be used to push messages to multiple subscribers
  • Amazon EventBridge for event-driven architectures and cross-service integration

Analytics

  • Redshift as a business intelligence tool
    • Redshift Serverless for automatic scaling and cost optimization
  • Kinesis
    • for real-time data capture and analytics.
    • Integrates with Lambda functions to perform transformations
  • AWS Glue
    • fully-managed, ETL service that automates the time-consuming steps of data preparation for analytics
    • AWS Glue for Ray for distributed data processing
  • Amazon OpenSearch Service (successor to Elasticsearch Service) for search and analytics

Management Tools

  • CloudWatch
    • monitoring to provide operational transparency
    • is extendable with custom metrics
    • CloudWatch -> (Subscription filter) -> Kinesis Data Firehose -> S3
    • CloudWatch Application Insights for automated application monitoring
  • CloudTrail
    • helps enable governance, compliance, and operational and risk auditing of the AWS account.
    • helps to get a history of AWS API calls and related events for the AWS account.
  • CloudFormation
    • easy way to create and manage a collection of related AWS resources, and provision and update them in an orderly and predictable fashion.
  • AWS Config
    • fully managed service that provides AWS resource inventory, configuration history, and configuration change notifications to enable security, compliance, and governance.
  • AWS Systems Manager enhanced with better patch management and automation capabilities

NEW 2025: Sustainability and Cost Optimization

  • AWS Sustainability: Understanding the AWS commitment to net-zero carbon by 2040
    • Carbon footprint tracking and optimization
    • Sustainable architecture patterns
    • Right-sizing resources for environmental impact
  • Enhanced Cost Optimization:
    • AWS Cost Explorer and Cost Anomaly Detection
    • Savings Plans vs Reserved Instances comparison
    • Spot Instance best practices and interruption handling
    • Resource tagging strategies for cost allocation

NEW 2025: Practice Questions for Updated Services

  • VPC Lattice Questions:
    • Q: A company needs to connect microservices across multiple VPCs and AWS accounts with centralized security policies. Which service should they use?
      • A) VPC Peering
      • B) Transit Gateway
      • C) Amazon VPC Lattice ✓
      • D) AWS PrivateLink
  • Network Firewall Questions:
    • Q: Which AWS service provides stateful firewall capabilities with deep packet inspection for VPC traffic?
      • A) Security Groups
      • B) Network ACLs
      • C) AWS WAF
      • D) AWS Network Firewall ✓
  • IPAM Questions:
    • Q: A large enterprise needs to manage IP address allocation across 50+ AWS accounts. Which service provides centralized IP address management?
      • A) VPC DHCP Options
      • B) Amazon VPC IP Address Manager (IPAM) ✓
      • C) Route 53 Resolver
      • D) AWS Config
  • Verified Permissions Questions:
    • Q: Which service provides fine-grained authorization using Cedar policy language?
      • A) AWS IAM
      • B) Amazon Cognito
      • C) Amazon Verified Permissions ✓
      • D) AWS Directory Service
  • Deprecated Services Questions:
    • Q: AWS App Mesh reached end-of-life in September 2026. What is the recommended migration path?
      • A) AWS Service Mesh
      • B) Amazon VPC Lattice ✓
      • C) Application Load Balancer
      • D) AWS Transit Gateway
    • Q: A company is using AWS App Runner to deploy containerized web applications. Given that App Runner moved to maintenance mode in April 2026, which service provides the most similar fully-managed container deployment experience?
      • A) Amazon EC2 with Auto Scaling
      • B) Amazon ECS with Fargate ✓
      • C) AWS Lambda
      • D) Amazon EKS with managed node groups

AWS Whitepapers & Cheatsheets

Important Migration Notes for Deprecated Services

Service Migration Guide (Updated June 2026)

  • AWS App Mesh → Amazon VPC Lattice / ECS Service Connect:
    • VPC Lattice provides simpler service-to-service connectivity
    • ECS Service Connect for ECS-native service mesh capabilities
    • No need for sidecar proxies or complex mesh configuration
    • Built-in security policies and observability
    • Deadline: September 30, 2026
  • AWS App Runner → ECS Fargate / Lambda / EKS:
    • ECS Fargate for containerized workloads with more control
    • Lambda for event-driven, short-duration workloads
    • EKS for Kubernetes-native deployments
    • Status: Maintenance mode from April 30, 2026
  • Amazon RDS Custom for Oracle → RDS for Oracle / EC2:
    • Standard RDS for Oracle if OS-level access not critical
    • Self-managed Oracle on EC2 for full customization
    • Deadline: March 31, 2027
  • AWS CloudTrail Lake → CloudWatch Logs Insights / S3 + Athena:
    • CloudWatch Logs Insights for querying CloudTrail logs
    • S3 with Athena for long-term log analysis at scale
    • Status: No new customers from May 31, 2026
  • Amazon S3 Glacier (standalone) → S3 Glacier Storage Classes:
    • Use S3 Glacier Instant Retrieval for frequent access
    • Use S3 Glacier Flexible Retrieval for standard archival
    • Use S3 Glacier Deep Archive for long-term archival

✅ AWS CodeCommit: Returned to full General Availability (November 2025) after being temporarily de-emphasized. Git LFS support coming Q1 2026, regional expansions Q3 2026.

SAA-C03 Architecture Patterns

On the Exam Day

  • Make sure you are relaxed and get some good night’s sleep. The exam is not tough if you are well-prepared.
  • If you are taking the AWS Online exam
    • Try to join at least 30 minutes before the actual time as I have had issues with both PSI and Pearson with long wait times.
    • The online verification process does take some time and usually, there are glitches.
    • Remember, you would not be allowed to take the take if you are late by more than 30 minutes.
    • Make sure you have your desk clear, no hand-watches, or external monitors, keep your phones away, and nobody can enter the room.
  • Be prepared for scenario-based questions focusing on cost optimization, sustainability considerations, and modern networking architectures.
  • Key Focus Areas for 2026:
    • Service-to-service connectivity patterns (VPC Lattice)
    • Advanced security implementations (Verified Permissions, Network Firewall)
    • Cost optimization strategies (Savings Plans, right-sizing)
    • Sustainability considerations in architecture decisions
    • Migration strategies for deprecated services (App Mesh, App Runner, RDS Custom for Oracle)
    • Resilient architecture design (increased to 30% in SAA-C04)

Finally, All the Best 🙂

June 2026 Update Summary

This post has been updated to reflect the latest AWS certification and service changes. Key additions include: the SAA-C04 exam revision announcement (Q2-Q3 2026 rollout with grace period until Sept 30, 2026), AWS CodeCommit’s return to General Availability (Nov 2025), new service deprecations (App Runner maintenance mode, RDS Custom for Oracle sunset, CloudTrail Lake maintenance mode), and updated exam delivery improvements. The post continues to cover VPC Lattice, IPAM, Network Firewall, Verified Permissions, and essential migration guidance for deprecated services.

AWS Certified Advanced Networking – Specialty ANS-C01 Exam Learning Path

AWS Certified Advanced Networking - Specialty Certificate

AWS Certified Advanced Networking – Specialty ANS-C01 Exam Learning Path

⚠️ EXAM RETIREMENT NOTICE

The AWS Certified Advanced Networking – Specialty (ANS-C01) exam is being retired. The last day to take the exam is August 25, 2026.

Certifications earned prior to the retirement will remain active for the standard three-year period. New AWS Certified Advanced Networking – Specialty certifications will not be issued after the retirement date.

If you plan to take this exam, schedule it before August 25, 2026.

I recently certified/recertified for the AWS Certified Advanced Networking – Specialty (ANS-C01). Frankly, Networking is something that I am still diving deep into and I just about managed to get through. So a word of caution, this exam is inline or tougher than the professional exams, especially for the reason that some of the Networking concepts covered are not something you can get your hands dirty with easily.

AWS Certified Advanced Networking – Specialty ANS-C01 Exam Content

  • AWS Certified Advanced Networking – Specialty (ANS-C01) exam focuses on the AWS Networking concepts. It basically validates
    • Design and develop hybrid and cloud-based networking solutions by using AWS
    • Implement core AWS networking services according to AWS best practices
    • Operate and maintain hybrid and cloud-based network architecture for all AWS services
    • Use tools to deploy and automate hybrid and cloud-based AWS networking tasks
    • Implement secure AWS networks using AWS native networking constructs and services

Refer to AWS Certified Advanced Networking – Specialty Exam Guide AWS Certified Advanced Networking - Specialty ANS-C01 Exam Domains

AWS Certified Advanced Networking – Specialty (ANS-C01) Exam Resources

AWS Certified Advanced Networking – Specialty (ANS-C01) Exam Summary

  • Specialty exams are tough, lengthy, and tiresome. Most of the questions and answers options have a lot of prose and a lot of reading that needs to be done, so be sure you are prepared and manage your time well.
  • ANS-C01 exam has 65 questions to be solved in 170 minutes which gives you roughly 2 1/2 minutes to attempt each question. 65 questions consists of 50 scored and 15 unscored questions.
  • ANS-C01 exam includes two types of questions, multiple-choice and multiple-response.
  • ANS-C01 has a scaled score between 100 and 1,000. The scaled score needed to pass the exam is 750.
  • Each question mainly touches multiple AWS services.
  • Specialty exams currently cost $ 300 + tax.
  • You can get an additional 30 minutes if English is your second language by requesting Exam Accommodations. It might not be needed for Associate exams but is helpful for Professional and Specialty ones.
  • As always, mark the questions for review and move on and come back to them after you are done with all.
  • As always, having a rough architecture or mental picture of the setup helps focus on the areas that you need to improve. Trust me, you will be able to eliminate 2 answers for sure and then need to focus on only the other two. Read the other 2 answers to check the difference area and that would help you reach the right answer or at least have a 50% chance of getting it right.
  • AWS exams can be taken either remotely or online, I prefer to take them online as it provides a lot of flexibility. Just make sure you have a proper place to take the exam with no disturbance and nothing around you.
  • Also, if you are taking the AWS Online exam for the first time try to join at least 30 minutes before the actual time as I have had issues with both PSI and Pearson with long wait times.

AWS Certified Advanced Networking – Specialty (ANS-C01) Exam Topics

  • AWS Certified Networking – Specialty (ANS-C01) exam focuses a lot on Networking concepts involving Hybrid Connectivity with Direct Connect, VPN, Transit Gateway, Direct Connect Gateway, and a bit of VPC, Route 53, ALB, NLB & CloudFront.

Networking & Content Delivery

  • Virtual Private Cloud – VPC
    • Understand VPC, Subnets
    • AWS allows extending the VPC by adding a secondary VPC
    • Understand Security Groups, NACLs
    • VPC Flow Logs
      • help capture information about the IP traffic going to and from network interfaces in the VPC and can help in monitoring the traffic or troubleshooting any connectivity issues
      • NACLs are stateless and how it is reflected in VPC Flow Logs
        • If ACCEPT followed by REJECT, inbound was accepted by Security Groups and ACLs. However, rejected by NACLs outbound
        • If REJECT, inbound was either rejected by Security Groups OR NACLs.
      • Use pkt-dstaddr instead of dstaddr to track the destination address as dstaddr refers to the primary ENI address always and not the secondary addresses.
      • Pattern: VPC Flow Logs -> CloudWatch Logs -> (Subscription) -> Amazon Data Firehose -> S3/OpenSearch.
      • (New – Jun 2026) VPC Flow Logs now supports EC2 resource tags and next-hop interface metadata, simplifying network monitoring by eliminating the need to manually correlate flow log data with resource metadata.
    • DHCP Option Sets esp. how to resolve DNS from both on-premises data center and AWS.
    • VPC Peering
      • helps point-to-point connectivity between 2 VPCs which can be in the same or different regions and accounts.
      • know VPC Peering Limitations esp. it does not allow overlapping CIDRs and transitive routing.
    • Placement Groups determine how the instances are placed on the underlying hardware
    • VRF – Virtual Routing & Forwarding can be used to route traffic to the same customer gateway from multiple VPCs, that can be overlapping.
  • VPC Endpoints
    • VPC Gateway Endpoints for connectivity with S3 & DynamoDB i.e. VPC -> VPC Gateway Endpoints -> S3/DynamoDB.
    • VPC Interface Endpoints or Private Links for other AWS services and custom hosted services i.e. VPC -> VPC Interface Endpoint OR Private Link -> S3/Kinesis/SQS/CloudWatch/Any custom endpoint.
    • S3 gateway endpoints cannot be accessed through VPC Peering, VPN, or Direct Connect. Need HTTP proxy to route traffic.
    • S3 Private Link can be accessed through VPC Peering, VPN, or Direct Connect. Need to use an endpoint-specific DNS name.
    • VPC endpoint policy can be configured to control which S3 buckets can be accessed and the S3 Bucket policy can be used to control which VPC (includes all VPC Endpoints) or VPC Endpoint can access it.
    • (New – Nov 2025) Cross-Region PrivateLink — AWS PrivateLink now supports cross-region connectivity, allowing interface VPC endpoints to connect to AWS services in other Regions within the same partition without needing inter-region peering or Transit Gateway.
    • Private Link Patterns
  • VPC Network Access Analyzer
    • helps identify unintended network access to the resources on AWS.
  • Transit Gateway
    • helps consolidate the AWS VPC routing configuration for a region with a hub-and-spoke architecture.
    • Appliance Mode ensures that network flows are symmetrically routed to the same AZ and network appliance
    • Transit Gateway Connect attachment can be used to connect SD-WAN to AWS Cloud. This supports GRE.
    • Transit Gateways are regional and Peering can connect Transit Gateways across regions.
    • Transit Gateway Network Manager includes events and metrics to monitor the quality of the global network, both in AWS and on-premises.
    • Transit Gateway Flow Logs — enables capturing detailed information such as source/destination IPs, ports, protocol, traffic counters, timestamps, and metadata for all network flows traversing through the Transit Gateway. Can be published to CloudWatch Logs and S3.
    • (New – Nov 2024) Transit Gateway now supports Path MTU Discovery (PMTUD) for both IPv4 and IPv6 protocols, improving performance for large packet workloads.
  • AWS Cloud WAN (New)
    • provides a central dashboard to create a global wide-area network connecting resources across your cloud and on-premises environments.
    • uses a central network policy to define network management and security policies in one location.
    • now supports direct integration with AWS Direct Connect gateways, enabling routes to be advertised directly between Cloud WAN segments and on-premises environments.
    • supports Service Insertion for routing traffic through middlebox appliances (firewalls, IDS/IPS).
    • for organizations with complex multi-region networking needs, Cloud WAN simplifies what would otherwise require multiple Transit Gateways with peering.
  • VPC Routing Priority
  • NAT Gateways
    • for HA, Scalable, Outgoing traffic. Does not support Security Groups or ICMP pings.
    • times out the connection if it is idle for 350 seconds or more. To prevent the connection from being dropped, initiate more traffic over the connection or enable TCP keepalive on the instance with a value of less than 350 seconds.
    • supports Private NAT Gateways for internal communication.
    • (New – Nov 2025) Regional NAT Gateway — a single NAT Gateway that automatically expands and contracts across availability zones based on workload presence, maintaining high availability without needing to deploy one per AZ. Supports Amazon-provided IPs and BYOIP.
  • Amazon VPC Lattice (New)
    • fully managed application networking service for service-to-service and service-to-resource communication across VPCs and accounts.
    • abstracts IP address dependencies — services communicate without direct network routing.
    • provides fine-grained Auth policies using IAM for consistent access controls.
    • supports TCP resources (databases, domain names, IP addresses) across VPCs and accounts via Resource Gateway.
    • eliminates the need for VPC peering, Transit Gateway, or PrivateLink for service mesh connectivity.
    • useful for microservices architectures where services span multiple VPCs/accounts.
  • Virtual Private Network
    • to establish connectivity between the on-premises data center and AWS VPC
  • Direct Connect
    • to establish connectivity between the on-premises data center and AWS VPC and Public Services
    • Direct Connect connections – Dedicated and Hosted connections
    • Understand how to create a Direct Connect connection
      • LOA-CFA provides the details for partners to connect to the AWS Direct Connect location
    • Virtual interfaces options – Private Virtual Interface for VPC resources and Public Virtual Interface for Public Resources
      • Private VIF is for resources within a VPC
      • Public VIF is for AWS public resources
      • Transit VIF is for connecting to Transit Gateways via Direct Connect Gateway
      • Private VIF has a limit of 100 routes and Public VIF of 1000 routes. Summarize the routes if you need to configure more.
    • (New – Jun 2026) VIF Rate Limiters — allows setting a maximum bandwidth allocation for up to 10 VIFs on a dedicated connection, with capacity increments from 50 Mbps to 1.6 Tbps (when using LAG). Rate limiting applies to traffic both ingressing and egressing the AWS network, helping prevent network congestion on shared connections.
    • (New – Mar 2025) CloudWatch VIF Metrics — new metrics for VirtualInterfaceBgpStatus, VirtualInterfaceBgpPrefixesAccepted, and VirtualInterfaceBgpPrefixesAdvertised for monitoring BGP health and prefix counts.
    • Understand setup Private and Public VIF
    • Understand High Availability options based on cost and time i.e. Second Direct Connect connection OR VPN connection
    • Direct Connect Gateway
      • it provides a way to connect to multiple VPCs from an on-premises data center using the same Direct Connect connection.
      • can connect to VGW or TGW.
      • (New – Nov 2024) Direct Connect Gateway can now be attached directly to AWS Cloud WAN core networks, enabling routes to be advertised between Cloud WAN segments and on-premises.
    • Understand Active/Passive Direct Connect
    • supports MACsec which delivers native, near line-rate, point-to-point encryption ensuring that data communications between AWS and the data center, office, or colocation facility remain protected.
    • Understand Route Propagation, propagation priority, BGP connectivity
      • BGP prefers the shortest AS PATH to get to the destination. Traffic from the VPC to on-premises uses the primary router. This is because the secondary router advertises a longer AS-PATH.
      • AS PATH prepending doesn’t work when the Direct Connect connections are in different AWS Regions than the VPC.
      • AS PATH works from AWS to on-premises and Local Pref from on-premises to AWS
      • Use Local Preference BGP community tags to configure Active/Passive when the connections are from different regions. The higher tag has a higher preference for 7224:7300 > 7224:7100
      • NO_EXPORT works only for Public VIFs
      • 7224:9100, 7224:9200, and 7224:9300 apply only to public prefixes. Usually used to restrict traffic to regions. Can help control if routes should propagate to the local Region only, all Regions within a continent, or all public Regions.
        • 7224:9100 — Local AWS Region
        • 7224:9200 — All AWS Regions for a continent, North America–wide, Asia Pacific, Europe, the Middle East and Africa
        • 7224:9300 — Global (all public AWS Regions)
      • 7224:8100 — Routes that originate from the same AWS Region in which the AWS Direct Connect point of presence is associated.
      • 7224:8200 — Routes that originate from the same continent with which the AWS Direct Connect point of presence is associated.
      • No-tag — Global (all public AWS Regions).
  • Route 53
    • provides a highly available and scalable DNS web service.
    • Routing Policies and their use cases Focus on Weighted, Latency, and Failover routing policies.
    • supports Alias resource record sets, which enables routing of queries to a CloudFront distribution, Elastic Beanstalk, ELB, an S3 bucket configured as a static website, or another Route 53 resource record set.
    • CNAME does not support zone apex or root records.
    • Route 53 DNSSEC
      • secures DNS traffic, and helps protect a domain from DNS spoofing man-in-the-middle attacks.
      • Requirements
        • Asymmetric Customer Managed Keys
        • us-east-1 with ECC_NIST_P256 spec
    • Route 53 Resolver DNS Firewall
      • protection for outbound DNS requests from the VPCs and can monitor and control the domains that the applications can query.
      • allows you to define allow and deny list.
      • can be used for DNS exfiltration.
      • supports FirewallFailOpen configuration which determines how Route 53 Resolver handles queries during failures.
        • disabled, favors security over availability and blocks queries that it is unable to evaluate properly.
        • enabled, favors availability over security and allows queries to proceed if it is unable to properly evaluate them.
    • Route 53 Resolver (Hybrid DNS)
      • Inbound Endpoint for On-premises -> AWS
      • Outbound Endpoint for AWS -> On-premises
    • Route 53 DNS Query Logging
      • Can be logged to CloudWatch logs, S3, and Amazon Data Firehose
    • Route 53 Resolver rules take precedence over privately hosted zones.
    • Route 53 Split View DNS helps to have the same DNS to access a site externally and internally
    • Know the Domain Migration process
  • CloudFront
    • provides a fully managed, fast CDN service that speeds up the distribution of static, dynamic web, or streaming content to end-users.
    • supports geo-restriction, WAF & AWS Shield for protection.
    • provides Cloud Functions (Edge location) & Lambda@Edge (Regional location) to execute scripts closer to the user.
    • supports encryption at rest and end-to-end encryption
    • CloudFront Origin Shield
      • helps improve the cache hit ratio and reduce the load on the origin.
      • requests from other regional caches would hit the Origin shield rather than the Origin.
      • should be placed at the regional cache and not in the edge cache
      • should be deployed to the region closer to the origin server
    • (New – Nov 2024) CloudFront VPC Origins
      • allows CloudFront to point directly to ALBs, NLBs, or EC2 instances in private subnets.
      • eliminates the need for public internet access to origins — CloudFront becomes the only entry point.
      • removes need for Origin Access Identity workarounds for non-S3 origins.
      • supports cross-account VPC origin sharing via AWS RAM.
    • (New – 2025) CloudFront Flat-Rate Pricing Plans — combines CDN, WAF, DDoS protection, bot management, Route 53, CloudWatch Logs, edge compute, and S3 storage into tiered monthly plans (Free, Pro $15/mo, Business $200/mo, Premium $1,000/mo).
  • Global Accelerator
    • provides 2 static IPv4 IPs (or 4 addresses with dual-stack: 2 IPv4 + 2 IPv6)
    • (Updated) Global Accelerator now supports dual-stack accelerators with IPv6 for ALB, NLB, and EC2 endpoints, enabling end-to-end IPv6 connectivity.
    • does not support client IP address preservation for NLB and Elastic IP address endpoints.
    • know CloudFront vs Global Accelerator
  • Understand ELB, ALB and NLB
    • Differences between ALB and NLB
    • ALB provides Content, Host, and Path-based Routing while NLB provides the ability to have a static IP address
    • Maintain original Client IP to the backend instances using X-Forwarded-for and Proxy Protocol
    • (Updated – Nov 2023) ALB now supports Mutual TLS (mTLS) — ALB can authenticate clients using X.509 certificates, offloading client certificate verification to the load balancer. Uses Trust Stores to manage CA certificates. Supports both verify mode (validates and passes headers) and passthrough mode.
    • For NLB with mTLS requirements, still use NLB with TCP listener on port 443 and terminate TLS on the instances.
    • (New – Nov 2025) Post-Quantum TLS — Both ALB and NLB now support post-quantum key exchange options (ML-KEM) for TLS, providing protection against future quantum computing threats.
    • NLB
      • also provides local zonal endpoints to keep the traffic within AZ
      • can front Private Link endpoints and provide static IPs.
    • ALB supports Forward Secrecy, through Security Policies, that provide additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key.
    • Supports sticky session feature (session affinity) to enable the LB to bind a user’s session to a specific target. This ensures that all requests from the user during the session are sent to the same target. Sticky Sessions is configured on the target groups.
    • (New – May 2024) Dual-Stack ALB without public IPv4 — internet-facing ALBs can now be provisioned without public IPv4 addresses, enabling IPv6-only client connectivity.
  • Gateway Load Balancer – GWLB
    • helps deploy, scale, and manage virtual appliances, such as firewalls, IDS/IPS systems, and deep packet inspection systems.
  • Athena integrates with S3 only and not with CloudWatch logs.
  • Transit VPC
    • helps connect multiple, geographically disperse VPCs and remote networks in order to create a global network transit center.
    • Use Transit Gateway or AWS Cloud WAN instead now.
  • Know CloudHub and its use case

Security

  • AWS GuardDuty
    • managed threat detection service
    • provides Malware protection
  • AWS Shield
    • managed DDoS protection service
    • AWS Shield Advanced provides 24×7 access to the AWS Shield Response Team (SRT), protection against DDoS-related spike, and DDoS cost protection to safeguard against scaling charges.
    • (New – May 2026) AWS Shield Advanced now supports DDoS attack flow logs for enhanced visibility into attack traffic patterns.
  • WAF as Web Traffic Firewall
    • helps protect web applications from attacks by allowing rules configuration that allow, block, or monitor (count) web requests based on defined conditions.
    • integrates with CloudFront, ALB, API Gateway to dynamically detect and prevent attacks
  • Network Firewall
    • provides IDS/IPS – Stateless and Stateful firewall rules – Allow, Deny, Forward
    • Used with Private Workspaces
    • (Updated – 2025) TLS Inspection Enhancements
      • Session holding for TLS Inspection prevents TCP/TLS establishment packets from reaching servers until SNI-based rules are evaluated.
      • New application layer drop and alert established default stateful actions for modern TLS and large HTTP requests.
      • No additional data processing charges for Advanced Inspection (TLS inspection) — price reduction announced Feb 2026.
    • supports PrivateLink Endpoint analysis in the console dashboard.
  • AWS Inspector
    • is a vulnerability management service that continuously scans the AWS workloads for vulnerabilities
  • AWS Verified Access (New)
    • provides secure, VPN-less access to corporate applications using zero trust principles.
    • evaluates each request based on user identity and device security posture rather than network location.
    • uses Cedar policy language for fine-grained access policies.
    • (Feb 2025) now supports non-HTTP(S) protocols (SSH, RDP) — eliminates need for separate VPN solutions for all application types.
    • achieved FedRAMP High and Moderate authorization (Mar 2025).
    • alternative to traditional VPN for remote workforce access scenarios.

Monitoring & Management Tools

  • Understand AWS CloudFormation esp. in terms of Network creation.
    • Custom resources can be used to handle activities not supported by AWS
    • While configuring VPN connections use depends_on on route tables to define a dependency on other resources as the VPN gateway route propagation depends on a VPC-gateway attachment when you have a VPN gateway.
  • AWS Config
    • fully managed service that provides AWS resource inventory, configuration history, and configuration change notifications to enable security, compliance, and governance.
    • can be used to monitor resource changes e.g. Security Groups and invoke Systems Manager Automation scripts for remediation.
  • CloudTrail for audit and governance

Integration Tools

Networking Architecture Patterns

AWS Certified Advanced Networking – Specialty (ANS-C01) Exam Day

  • Make sure you are relaxed and get some good night’s sleep. The exam is not tough if you are well-prepared.
  • If you are taking the AWS Online exam
    • Try to join at least 30 minutes before the actual time as I have had issues with both PSI and Pearson with long wait times.
    • The online verification process does take some time and usually, there are glitches.
    • Remember, you would not be allowed to take the take if you are late by more than 30 minutes.
    • Make sure you have your desk clear, no hand-watches, or external monitors, keep your phones away, and nobody can enter the room.

Finally, All the Best 🙂

AWS Certified Solutions Architect – Professional (SAP-C01) Exam Learning Path

AWS Certified Solutions Architect - Professional certificate

AWS Certified Solutions Architect – Professional (SAP-C01) Exam Learning Path

⚠️ EXAM RETIRED — SAP-C01 No Longer Available

AWS Certified Solutions Architect – Professional (SAP-C01) was retired on November 14, 2022.

This content is maintained for historical reference only. You can no longer register for or take the SAP-C01 exam.

Current Exam:

SAP-C02 Exam Domains:

  • Domain 1: Design Solutions for Organizational Complexity (26%)
  • Domain 2: Design for New Solutions (29%)
  • Domain 3: Continuous Improvement for Existing Solutions (25%)
  • Domain 4: Accelerate Workload Migration and Modernization (20%)
  • AWS Certified Solutions Architect – Professional (SAP-C01) exam was the upgraded pattern of the previous Solution Architect – Professional exam which was released in the year (2018) and was retired on November 14, 2022, replaced by SAP-C02.
  • I recently recertified the existing pattern and the difference is quite a lot between the previous pattern and the latest pattern. The amount of overlap between the associates and professional exams and even the Solutions Architect and DevOps has drastically reduced.

AWS Certified Solutions Architect – Professional (SAP-C01) exam basically validated

  • Design and deploy dynamically scalable, highly available, fault-tolerant, and reliable applications on AWS
  • Select appropriate AWS services to design and deploy an application based on given requirements
  • Migrate complex, multi-tier applications on AWS
  • Design and deploy enterprise-wide scalable operations on AWS
  • Implement cost-control strategies

Refer to AWS Certified Solutions Architect – Professional (SAP-C01) Exam Guide

AWS Certified Solutions Architect - Professional Exam Domains

AWS Certified Solutions Architect – Professional (SAP-C01) Exam Resources

AWS Certified Solutions Architect – Professional (SAP-C01) Exam Summary

  • AWS Certified Solutions Architect – Professional (SAP-C01) exam was for a total of 170 minutes and it had 75 questions.
  • AWS Certified Solutions Architect – Professional (SAP-C01) focused a lot on concepts and services related to Architecture & Design, Scalability, High Availability, Disaster Recovery, Migration, Security and Cost Control.
  • Each question mainly touches multiple AWS services.
  • Questions and answers options have a lot of prose and a lot of reading that needs to be done, so be sure you are prepared and manage your time well.
  • As always, mark the questions for review and move on and come back to them after you are done with all.
  • As always, having a rough architecture or mental picture of the setup helps focus on the areas that you need to improve. Trust me, you will be able to eliminate 2 answers for sure and then need to focus on only the other two. Read the other 2 answers to check the difference area and that would help you reach the right answer or at least have a 50% chance of getting it right.

📝 Note: The SAP-C02 exam has the same format (75 questions, 180 minutes) but with updated domains and coverage of newer AWS services including VPC Lattice, AWS Verified Access, AWS Network Firewall, Amazon Data Firehose, and EventBridge. See the SAP-C02 Learning Path for current exam preparation.

AWS Certified Solutions Architect – Professional (SAP-C01) Exam Topics

Storage

  • S3
    • S3 Permissions & S3 Data Protection
      • S3 bucket policies to control access to VPC Endpoints
    • S3 Storage Classes & Lifecycle policies
      • covers S3 Standard, Infrequent access, intelligent tier and Glacier for archival and object transitions & deletions for cost management.
    • S3 Transfer Acceleration can be used for fast, easy, and secure transfers of files over long distances between the client and an S3 bucket.
    • supports the same and cross-region replication for disaster recovery.
    • integrates with CloudFront for caching to improve performance
    • S3 supports Object Lock and Glacier supports Vault lock to prevent the deletion of objects, especially required for compliance requirements.
    • supports S3 Select feature to query selective data from a single object.
  • Elastic Block Store
    • EBS Backup using snapshots for HA and Disaster recovery
    • Data Lifecycle Manager can be used to automate the creation, retention, and deletion of snapshots taken to back up the EBS volumes.
  • Storage Gateway
  • Elastic File System
    • provides a fully managed, scalable, serverless, shared and cost-optimized file storage for use with AWS and on-premises resources.
    • supports cross-region replication for disaster recovery
    • supports storage classes like S3
  • AWS Transfer Family
    • provides a secure transfer service (FTP, SFTP, FTPs) that helps transfer files into and out of AWS storage services.
    • supports transferring data from or to S3 and EFS.
  • FSx for Lustre
    • managed, cost-effective service to launch and run the HPC high-performance Lustre file system.

Database

  • DynamoDB
    • DynamoDB Auto Scaling
    • DynamoDB Streams for tracking changes
    • TTL to expire objects automatically and cost-effectively.
    • Global tables for multi-master, active-active inter-region storage needs.
    • Global tables do not support strong global consistency
    • DynamoDB Accelerator – DAX for seamlessly caching to reduce the load on DynamoDB for read-heavy requirements.
  • RDS
    • supports cross-region read replicas ideal for disaster recovery with low RTO and RPO.
    • provides RDS proxy for effective database connection pooling
    • RDS Multi-AZ vs Read Replicas
  • Aurora
    • fully managed, MySQL- and PostgreSQL-compatible, relational database engine
    • supports Aurora Serverless to on-demand, autoscaling configuration
    • Aurora Global Database consists of one primary AWS Region where the data is mastered, and up to five read-only, secondary AWS Regions. It is a multi-master setup but can be used for disaster recovery.
  • DocumentDB as a replacement for MongoDB

Data Migration & Transfer

  • Cloud Migration Services
    • Cloud Migration (hint: make sure you understand the difference between rehost, replatform, and rearchitect)
    • ⚠️ AWS Server Migration Service (SMS) — Discontinued (March 2022). Replaced by AWS Application Migration Service, now rebranded as AWS Transform MGN (June 2026).
    • Database Migration Service
      • enables quick and secure data migration with minimal to zero downtime
      • supports Full and Change Data Capture – CDC migration to support continuous replication for zero downtime migration.
      • homogeneous migrations such as Oracle to Oracle, as well as heterogeneous migrations (using SCT) between different database platforms, such as Oracle or Microsoft SQL Server to Aurora.
      • Hint: Elasticsearch (now OpenSearch) is not supported as a target by DMS
    • Snow Family
      • Ideal for one-time big data transfers usually for use cases with limited bandwidth from on-premises to AWS.
  • Application Discovery Service
    • ⚠️ No longer accepting new customers (Nov 7, 2025). Replaced by AWS Transform.
    • Agent-based can be used for Hyper-V and physical servers
    • Agentless (Discovery Connector — deprecated Nov 17, 2025) can be used for VMware but does not track processes. Replaced by AWS Transform Discovery Tool.
  • Disaster Recovery
    • Disaster Recovery whitepaper, although outdated, make sure you understand the difference between each type esp. pilot light, warm standby w.r.t RTO and RPO.
    • Compute
      • Make components available in an alternate region,
      • either as AMIs that can be restored
      • CloudFormation to create infra as needed
      • partial which can be scaled once the failover happens
      • or fully running compute in active-active confirmation with health checks.
    • Storage
      • S3 and EFS support cross-region replication
      • DynamoDB supports Global tables for multi-master, active-active inter-region storage needs.
      • Aurora Global Database provides a multi-master setup but can be used for disaster recovery.
      • RDS supports cross-region read replicas which can be promoted to master in case of a disaster. This can be done using Route 53, CloudWatch and Lambda functions.
    • Network
      • Route 53 failover routing with health checks to failover across regions.

Networking & Content Delivery

  • VPC – Virtual Private Cloud
    • Understand Security Groups, NACLs (Hint: know NACLs are stateless and need to open ephemeral ports for response traffic )
    • Understand VPC Gateway Endpoints to provide access to S3 and DynamoDB (hint: know how to restrict access on S3 to specific VPC Endpoint)
    • Understand VPC Interface Endpoints or PrivateLink to provide access to a variety of services like SQS, Kinesis or Private APIs exposed through NLB.
    • Understand VPC Flow Logs
    • Understand VPC Peering to enable communication between VPCs within the same or different regions. (hint: VPC peering does not support transitive routing)
  • Route 53
    • Routing Policies
      • focus on Weighted, Latency and failover routing policies
      • failover routing provides active-passive configuration for disaster recovery while the others are active-active configuration.
    • Route 53 Resolver
      • Outbound endpoint for AWS -> On-premises DNS query resolution
      • Inbound endpoint for On-premises DNS query resolution
  • CloudFront
    • fully managed, fast CDN service that speeds up the distribution of static, dynamic web or streaming content to end-users.
    • supports multiple origins including S3, ALB etc.
    • does not support Auto Scaling as an origin
    • supports Geo-restriction
    • supports Lambda@Edge and CloudFront Functions to execute code closer to the user.
    • Lambda@Edge can be used for quick auth checks, and redirect users based on request data.
    • Security can be enhanced by whitelisting CloudFront IPs or adding custom header in CloudFront and verifying it in ALB.
  • API Gateway
    • supports throttling, caching and helps define usage plans with API keys to identify clients
    • provides regional and edge-optimized endpoint types
    • supports authentication mechanisms, such as AWS IAM policies, Lambda authorizer functions, and Amazon Cognito user pools.
  • Load Balancer – ELB, ALB and NLB
  • Global Accelerator
    • optimizes the path to applications to keep packet loss, jitter, and latency consistently low.
    • helps improve the performance of the applications by lowering first-byte latency
    • provides 2 static IP addresses
    • does not preserve the client’s IP address with NLB
  • Transit Gateway or Transit VPC
    • is a network transit hub that can be used to interconnect VPCs and on-premises networks via Direct Connect or VPN.
    • Transit Gateway is regional and Transit Gateway Peering needs to be configured to peer regional Transit gateways.
  • Placement Groups
    • Cluster placement group with Enhanced Networking for HPC
    • Spread placement group for fault tolerance and high availability.
  • Direct Connect & VPN
    • provide on-premises to AWS connectivity
    • know Direct Connect vs VPN
    • VPN can provide a cost-effective, quick failover for Direct Connect.
    • VPN over Direct Connect provides a secure dedicated connection and requires a public virtual interface.
    • Direct Connect Gateway is a global network device that helps establish connectivity that spans VPCs spread across multiple AWS Regions with a single Direct Connect connection.

Security, Identity & Compliance

  • AWS Identity and Access Management
  • AWS Shield & Shield Advanced
    • for DDoS protection and integrates with Route 53, CloudFront, ALB and Global Accelerator.
  • AWS WAF
    • protects from common attack techniques like SQL injection and Cross-Site Scripting (XSS), Conditions based include IP addresses, HTTP headers, HTTP body, and URI strings.
    • integrates with CloudFront, ALB, and API Gateway.
    • supports Web ACLs and can block traffic based on IPs, Rate limits, and specific countries as well.
  • ACM – AWS Certificate Manager
    • helps easily provision, manage, and deploy public and private SSL/TLS certificates
    • is regional and you need to request certificates in all regions and associate individually in all regions.
    • does not provide certificates for EC2 instances.
  • AWS KMS – Key Management Service
    • managed encryption service that allows the creation and control of encryption keys to enable data encryption.
    • KMS Multi-region keys
      • are AWS KMS keys in different AWS Regions that can be used interchangeably – as though having the same key in multiple Regions.
      • are not global and each multi-region key needs to be replicated and managed independently.
  • Secrets Manager
    • helps protect secrets needed to access applications, services, and IT resources.
    • Secrets Manager vs SSM Parameter Store.
      • Supports automatic rotation of secrets, which is not provided by SSM Parameter Store.
      • Costs more than SSM Parameter Store.

Compute

  • EC2
  • Auto Scaling
  • Elastic Beanstalk supports Blue/Green deployment using swap URLs.
  • Lambda
    • Lambda running in VPC requires NAT Gateway to communicate with external public services
    • Lambda CPU can be increased by increasing memory only.
    • helps define reserved concurrency limit to reduce the impact
    • Lambda Alias now supports canary deployments
  • ECS – Elastic Container Service
    • container management service that supports Docker containers
    • supports two launch types – EC2 and Fargate which provides the serverless capability
    • For least privilege, the role should be assigned to the Task.
    • awsvpc network mode gives ECS tasks the same networking properties as EC2 instances.

Management & Governance tools

  • AWS Organizations
  • Systems Manager
    • AWS Systems Manager and its various services like parameter store, patch manager
    • Parameter Store provides secure, scalable, centralized, hierarchical storage for configuration data and secret management. Does not support secrets rotation. Use Secrets Manager.
    • Session Manager helps manage EC2 instances through an interactive one-click browser-based shell or through the AWS CLI without opening ports or creating bastion hosts.
    • Patch Manager helps automate the process of patching managed instances with both security-related and other types of updates.
  • CloudWatch
  • CloudTrail
    • for audit and governance
    • With Organizations, the trail can be configured to log CloudTrail from all accounts to a central account.
  • CloudFormation
    • Handle disaster Recovery by automating the infra to replicate the environment across regions.
    • Deletion Policy to prevent, retain or backup RDS, EBS Volumes
    • Stack policy can prevent stack resources from being unintentionally updated or deleted during a stack update. Stack Policy only applies for Stack updates and not stack deletion.
    • StackSets helps to create, update, or delete stacks across multiple accounts and Regions with a single operation.
  • Control Tower
    • to setup, govern, and secure a multi-account environment
    • strongly recommended guardrails cover EBS encryption
  • Service Catalog
    • allows organizations to create and manage catalogues of IT services that are approved for use on AWS with minimal permissions.
  • Trusted Advisor
    • helps with cost optimization and service limits in addition to security, performance and fault tolerance.
  • Compute Optimizer recommends optimal AWS resources for the workloads to reduce costs and improve performance by using machine learning to analyze historical utilization metrics.
  • AWS Budgets to see usage-to-date and current estimated charges from AWS, set limits and provide alerts or notifications.
  • Cost Allocation Tags can be used to organize AWS resources, and cost allocation tags to track the AWS costs on a detailed level.
  • Cost Explorer helps visualize, understand, manage and forecast the AWS costs and usage over time.

Analytics

  • Kinesis
  • Amazon OpenSearch Service (formerly Amazon Elasticsearch Service, renamed Sept 2021) provides a managed search and analytics solution.
  • Transcribe for Voice to Text conversion

Integration Tools

  • SQS in terms of loose coupling and scaling.
    • Difference between SQS Standard and FIFO esp. with throughput and order
    • SQS supports dead letter queues
  • CloudWatch integration with SNS and Lambda for notifications.

Architecture & Design Flows

GCP Professional Cloud DevOps Engineer Cert Path

Google Cloud Professional Cloud DevOps Engineer Certification

Google Cloud – Professional Cloud DevOps Engineer Certification Learning Path

📋 Last Updated: June 2026 — Updated with current exam guide (5 domains), Cloud Deploy, deprecated services (Cloud Debugger shutdown, Cloud Source Repositories end-of-sale, Container Registry shutdown), GKE Autopilot, Workload Identity Federation, Ops Agent, Managed Service for Prometheus, and OpenTelemetry.

Continuing on the Google Cloud Journey, glad to have passed the 8th certification with the Professional Cloud DevOps Engineer certification. Google Cloud – Professional Cloud DevOps Engineer certification exam focuses on almost all of the Google Cloud DevOps services with Cloud Developer tools, Operations Suite, and SRE concepts.

Google Cloud – Professional Cloud DevOps Engineer Certification Summary

  • Has 50-60 questions to be answered in 2 hours.
  • Certification is valid for 2 years from the date of passing.
  • Covers a wide range of Google Cloud services mainly focusing on DevOps toolset including Cloud Build, Cloud Deploy, Artifact Registry, Cloud Operations Suite with a focus on monitoring and logging, and SRE concepts.
  • The exam is heavily SRE-focused (~28% of the exam) — understanding SLI/SLO/error-budget design, toil reduction, and incident management is essential.
  • The exam covers 5 domains:
    • Applying site reliability engineering principles to a service (~28%)
    • Building and implementing CI/CD pipelines for a service (~24%)
    • Applying service monitoring strategies (~22%)
    • Optimizing service performance (~13%)
    • Managing service incidents (~13%)
  • The exam uses:
    • Cloud Operations (Cloud Monitoring & Logging) and does not refer to Stackdriver.
    • Artifact Registry instead of Container Registry (which was shut down in March 2025).
    • Cloud Deploy as the managed CD service — this is a key exam topic.
    • Ops Agent instead of legacy Monitoring/Logging agents.
  • There are no case studies for the exam.
  • GKE knowledge is essential — deployments, services, autoscaling, and Workload Identity Federation for GKE are all tested.
  • As mentioned for all the exams, Hands-on is a MUST. If you have not worked on GCP before, make sure you do lots of labs else you would be absolutely clueless about some of the questions and commands.

Google Cloud – Professional Cloud DevOps Engineer Certification Resources

Google Cloud – Professional Cloud DevOps Engineer Certification Topics

Developer Tools – CI/CD

  • Google Cloud Build
    • Cloud Build integrates with GitHub, GitLab, Bitbucket, and Cloud Source Repositories (legacy) and can be used for Continuous Integration and Deployments.
    • Cloud Build can import source code, execute build to the specifications, and produce artifacts such as Docker containers or Java archives.
    • Cloud Build can trigger builds on source commits using 2nd gen repository connections (GitHub, GitLab, Bitbucket) or legacy 1st gen triggers.
    • Cloud Build build config file specifies the instructions to perform, with steps defined for each task like the test, build, and deploy.
    • Cloud Build step specifies an action to be performed and is run in a Docker container.
    • Cloud Build supports custom images as well for the steps.
    • Cloud Build integrates with Pub/Sub to publish messages on build state changes.
    • Cloud Build Private Pools provide dedicated, customer-owned build infrastructure for builds requiring VPC connectivity or enhanced security.
    • Cloud Build generates SLSA Level 3 build provenance for artifacts stored in Artifact Registry, providing verifiable supply chain security metadata including image digests, source locations, and build arguments.
    • Cloud Build should use a Service Account with a Container Developer role to perform deployments on GKE.
    • Cloud Build uses a directory named /workspace as a working directory and the assets produced by one step can be passed to the next one via the persistence of the /workspace directory.
  • Google Cloud Deploy (Managed CD)
    • Cloud Deploy is a managed, opinionated Continuous Delivery service that automates delivery of applications to a series of target environments (dev → staging → production).
    • Cloud Deploy uses Skaffold for rendering and deploying Kubernetes manifests or Cloud Run services.
    • Cloud Deploy supports deployment to GKE, Cloud Run, and GKE Enterprise targets.
    • Cloud Deploy supports multiple deployment strategies: standard (rolling), canary, and blue/green deployments.
    • Cloud Deploy canary deployments allow progressive rollouts with configurable traffic percentages (e.g., 10% → 50% → 100%).
    • Cloud Deploy supports automated promotion between targets when a release succeeds in the previous environment.
    • Cloud Deploy supports deploy verification — automated tests that run after deployment to validate the release before promotion.
    • Cloud Deploy integrates with Cloud Build (CI triggers release creation) and Binary Authorization (policy enforcement).
    • Hint: For managed, structured delivery pipelines with progressive rollout to GKE/Cloud Run, choose Cloud Deploy over Spinnaker or custom scripts.
  • Binary Authorization and Software Supply Chain Security
    • Binary Authorization provides software supply-chain security for container-based applications. It enables you to configure a policy that the service enforces when an attempt is made to deploy a container image on one of the supported container-based platforms.
    • Binary Authorization uses attestations to verify that an image was built by a specific build system or continuous integration (CI) pipeline.
    • Binary Authorization integrates with Cloud Build’s SLSA provenance to verify build authenticity.
    • Artifact Analysis (formerly Container Analysis) helps scan images for vulnerabilities.
    • Hint: For security and compliance reasons if the image deployed needs to be trusted, use Binary Authorization with attestation-based policies.
  • Google Artifact Registry
    • Artifact Registry is the single registry service for all artifact types — container images, Maven, npm, Python, Go, Apt, Yum, and more.
    • Container Registry was shut down on March 18, 2025. All container image storage must use Artifact Registry.
    • Artifact Registry supports both regional and multi-regional repositories.
    • Artifact Registry supports gcr.io domain routing for backward compatibility with Container Registry URLs.
    • Artifact Registry integrates with Artifact Analysis for vulnerability scanning and SBOM generation.
  • Google Cloud Source Repositories (Legacy)

    ⚠️ End of Sale: Cloud Source Repositories is not available to new customers as of June 17, 2024. Existing customers can continue to use it, but new projects should use Secure Source Manager or third-party repositories (GitHub, GitLab, Bitbucket).

    • Cloud Source Repositories are fully-featured, private Git repositories hosted on Google Cloud.
    • Secure Source Manager is the recommended replacement — a regionally deployed, single-tenant, managed source code repository on Google Cloud.
    • Cloud Build 2nd gen repository connections support direct integration with GitHub, GitLab, and Bitbucket without requiring Cloud Source Repositories.
    • Hint: If the code needs to be version controlled and needs collaboration with multiple members, choose Git-related options (GitHub/GitLab integration or Secure Source Manager).
  • Google Cloud Code
    • Cloud Code helps write, debug, and deploy the cloud-based applications for IntelliJ, VS Code, or in the browser.
  • Google Cloud Client Libraries
    • Google Cloud Client Libraries provide client libraries and SDKs in various languages for calling Google Cloud APIs.
    • If the language is not supported, Cloud REST APIs can be used.
  • Deployment Techniques
    • Recreate deployment – fully scale down the existing application version before you scale up the new application version.
    • Rolling update – update a subset of running application instances instead of simultaneously updating every application instance.
    • Blue/Green deployment – (also known as a red/black deployment), you perform two identical deployments of your application.
    • Canary deployment – progressively roll out a change, increasing traffic percentages to the new version.
    • GKE supports Rolling and Recreate deployments natively.
      • Rolling deployments support maxSurge (new pods created) and maxUnavailable (existing pods deleted).
    • Cloud Deploy supports canary and blue/green for GKE and Cloud Run targets.
    • Managed Instance Groups support Rolling deployments using maxSurge and maxUnavailable configurations.
  • Testing Strategies
    • Canary testing – partially roll out a change and then evaluate its performance against a baseline deployment.
    • A/B testing – test a hypothesis by using variant implementations. A/B testing is used to make business decisions (not only predictions) based on the results derived from data.
    • Cloud Deploy supports deploy verification to automatically validate releases after deployment.
  • Spinnaker
    • Spinnaker is an open-source, multi-cloud continuous delivery platform for releasing software changes.
    • Spinnaker supports Blue/Green rollouts by dynamically enabling and disabling traffic to a particular Kubernetes resource.
    • Spinnaker recommends comparing canary against an equivalent baseline, deployed at the same time instead of production deployment.
    • Note: For new GCP-native deployments, Google Cloud Deploy is the recommended managed alternative to self-hosted Spinnaker.

Cloud Operations Suite (Observability)

  • Google Cloud Observability (formerly Operations Suite) provides monitoring, alerting, error reporting, metrics, tracing, profiling, and logging.
  • Google Cloud Monitoring
    • Cloud Monitoring helps gain visibility into the performance, availability, and health of your applications and infrastructure.
    • Ops Agent is the recommended unified agent (replaces legacy Monitoring and Logging agents). It uses OpenTelemetry and Fluent Bit to collect metrics and logs from Compute Engine VMs.
    • Legacy Monitoring Agent and Logging Agent are still functional but should be migrated to Ops Agent for new deployments.
    • Cloud Monitoring supports SLO monitoring — define SLOs directly in Cloud Monitoring with burn-rate alerts based on error budget consumption.
    • Cloud Monitoring supports log exports where the logs can be sunk to Cloud Storage, Pub/Sub, BigQuery, or an external destination like Splunk.
    • Cloud Monitoring API supports push or export custom metrics.
    • Uptime checks help check if the resource responds. It can check the availability of any public service on VM, App Engine, URL, GKE, or AWS Load Balancer.
    • Process health checks can be used to check if any process is healthy.
  • Managed Service for Prometheus
    • Managed Service for Prometheus lets you globally monitor and alert on workloads using Prometheus and OpenTelemetry, without manually managing Prometheus at scale.
    • Supports both managed collection (Google manages the collector) and self-deployed collection (you run your own Prometheus or OpenTelemetry Collector).
    • Integrates natively with GKE for Kubernetes workload monitoring.
    • Supports PromQL for querying and alerting, compatible with existing Prometheus dashboards and rules.
    • Hint: For Prometheus-based monitoring on GKE at scale, use Managed Service for Prometheus instead of self-managed Prometheus.
  • OpenTelemetry Integration
    • Google Cloud supports OpenTelemetry Protocol (OTLP) for sending metrics, traces, and logs directly to Cloud Monitoring, Cloud Trace, and Cloud Logging.
    • OpenTelemetry Collector can be deployed as a sidecar or DaemonSet on GKE to collect and export telemetry data.
    • GKE supports Managed OpenTelemetry with an Instrumentation custom resource that automatically injects configuration into workloads.
  • Google Cloud Logging
    • Cloud Logging provides real-time log management and analysis.
    • Cloud Logging allows ingestion of custom log data from any source.
    • Logs can be exported by configuring log sinks to BigQuery, Cloud Storage, or Pub/Sub.
    • Log Analytics allows SQL-based querying of logs using BigQuery-integrated log buckets.
    • The Ops Agent collects application logs from VMs (replaces legacy Logging Agent which used fluentd).
    • VPC Flow Logs helps record network flows sent from and received by VM instances.
    • Cloud Logging Log-based metrics can be used to create alerts on logs.
    • Hint: If the logs from VM do not appear on Cloud Logging, check if the Ops Agent is installed and running and it has proper permissions to write the logs to Cloud Logging.
  • Cloud Error Reporting
    • Counts, analyzes, and aggregates the crashes in the running cloud services.
  • Cloud Profiler
    • Cloud Profiler allows continuous profiling of CPU and memory usage in production applications with minimal overhead.
    • Helps identify performance bottlenecks in code running on GCP and on-premises resources.
  • Cloud Trace
    • Is a distributed tracing system that collects latency data from the applications and displays it in the Google Cloud Console.
    • Supports OpenTelemetry-based instrumentation for automatic trace collection.
  • Cloud Debugger

    ⚠️ SHUT DOWN: Cloud Debugger was deprecated on May 16, 2022 and the service was shut down on May 31, 2023. It is no longer available and is not tested on the exam.

    • Cloud Debugger previously allowed inspecting the state of a running application in real-time.
    • For runtime debugging needs, use Cloud Logging with structured logs, Cloud Trace for latency analysis, or snapshot-based debugging tools.

Compute Services

  • Compute services like Google Compute Engine and Google Kubernetes Engine are tested from the DevOps, scaling, and security aspects.
  • Google Compute Engine
    • Google Compute Engine is the IaaS option for computing and provides fine-grained control.
    • Spot VMs (formerly Preemptible VMs) and their use cases. HINT – use for short-term, fault-tolerant workloads.
    • Committed Usage Discounts (CUDs) help provide cost benefits for long-term stable and predictable usage.
    • Managed Instance Groups can help scale VMs as per the demand. It also helps provide auto-healing and high availability with health checks, in case an application fails.
  • Google Kubernetes Engine
    • GKE Autopilot is the recommended and default mode of operation — Google fully manages nodes, scaling, security, and node configuration.
      • Autopilot provides a Pod-level SLA and eliminates node management overhead.
      • Supports burstable workloads, GPUs, and StatefulSets.
    • GKE Standard provides full control over node configuration for specialized workloads.
    • GKE can be scaled using:
      • Cluster Autoscaler to scale the cluster node pools.
      • Vertical Pod Autoscaler (VPA) to adjust pod resource requests/limits based on actual usage.
      • Horizontal Pod Autoscaler (HPA) to scale the number of pods based on CPU, memory, or custom/external metrics.
      • Multidimensional Pod Autoscaling — combines HPA (scale out on CPU) and VPA (scale up on memory) simultaneously.
    • Workload Identity Federation for GKE (formerly GKE Workload Identity) is the recommended way for GKE workloads to authenticate to Google Cloud APIs without service account keys.
      • Eliminates the need for service account key files in containers.
      • Pods authenticate with short-lived federated tokens tied to their Kubernetes ServiceAccount.
    • Kubernetes Secrets can be used to store secrets (although they are just base64 encoded values). For production, use Secret Manager integration.
    • Kubernetes supports rolling and recreate deployment strategies.

Security

  • Cloud Key Management Service – KMS
    • Cloud KMS can be used to manage cryptographic keys and encrypt data in Cloud Storage and other integrated services.
  • Secret Manager
    • Secret Manager stores, manages, and provides access to secrets (API keys, passwords, certificates) as binary blobs or text strings.
    • Supports automatic rotation, versioning, and fine-grained IAM access control.
    • Integrates with GKE via Workload Identity Federation for secure secret access from pods.

Site Reliability Engineering – SRE

  • SRE is a DevOps implementation and focuses on increasing reliability and observability, collaboration, and reducing toil using automation.
  • SRE is the largest domain (~28%) of the Professional Cloud DevOps Engineer exam.
  • SLOs help specify a target level for the reliability of your service using SLIs which provide actual measurements.
  • SLI Types:
    • Availability
    • Freshness
    • Latency
    • Quality
  • SLOs – Choosing the measurement method:
    • Synthetic clients to measure user experience
    • Client-side instrumentation
    • Application and infrastructure metrics
    • Logs processing
  • SLOs define Error Budget and Error Budget Policy which need to be aligned with all stakeholders and help plan releases to focus on features vs reliability.
    • Burn-rate alerts can be configured in Cloud Monitoring to alert when error budget is being consumed too quickly.
    • When error budget is exhausted, the team should prioritize reliability over new features (feature freeze).
  • SRE focuses on Reducing Toil – Identifying repetitive, manual, automatable tasks and eliminating them through automation.
  • Production Readiness Review – PRR
    • Applications should be performance tested for volumes before being deployed to production.
    • SLOs should not be modified/adjusted to facilitate production deployments. Teams should work to make the applications SLO compliant before they are deployed to production.
  • SRE Practices include:
    • Incident Management and Response
      • Priority should be to mitigate the issue, and then investigate and find the root cause. Mitigating would include:
        • Rolling back the release that caused the issue.
        • Routing traffic to a working site to restore user experience.
      • Incident Live State Document helps track the events and decision making which can be useful for postmortem.
      • Involves the following roles:
        • Incident Commander/Manager
          • Sets up a communication channel for all to collaborate.
          • Assigns and delegates roles. IC would assume any role, if not delegated.
          • Responsible for Incident Live State Document.
        • Communications Lead
          • Provides periodic updates to all the stakeholders and customers.
        • Operations Lead
          • Responds to the incident and should be the only group modifying the system during an incident.
    • Postmortem
      • Should contain the root cause.
      • Should be Blameless — focus on systems and processes, not individuals.
      • Should be shared with all for collaboration and feedback.
      • Should be shared with all the stakeholders.
      • Should have proper action items to prevent recurrence with an owner and collaborators, if required.
    • Chaos Engineering
      • Proactively testing system resilience by intentionally introducing failures.
      • Helps identify weaknesses before they cause real incidents.
      • Should be conducted in controlled environments with proper safeguards.

All the Best !!

Google Cloud Certified – Cloud Digital Leader Learning Path

Google Cloud Certified - Cloud Digital Leader Certificate

Google Cloud – Cloud Digital Leader Certification Learning Path

🆕 2026 Update: A new Cloud Digital Leader beta exam is open for registration through July 5, 2026 (~75 questions, 2 hours, $59). The standard exam remains available through July 29, 2026. The exam is now delivered via Pearson VUE (replacing Kryterion). Google also launched a new Generative AI Leader certification in May 2025 for non-technical professionals.

Continuing on the Google Cloud Journey, glad to have passed the seventh certification with the Professional Cloud Digital Leader certification. Google Cloud was missing the initial entry-level certification similar to AWS Cloud Practitioner certification, which was introduced as the Cloud Digital Leader certification. Cloud Digital Leader focuses on general Cloud knowledge, Google Cloud knowledge with its products and services.

Google Cloud – Cloud Digital Leader Certification Summary

  • Has 50-60 questions to be answered in 90 minutes (standard exam).
  • Registration fee is $99 USD (plus tax where applicable).
  • Covers a wide range of General Cloud and Google Cloud services and products knowledge.
  • This exam does not require much Hands-on and theoretical knowledge is good enough to clear the exam.
  • Certification validity is 3 years, with a renewal exam option (20 questions, 45 minutes, $60).
  • Exam is delivered online-proctored or at onsite test centers via Pearson VUE.

Google Cloud – Cloud Digital Leader Exam Domains (Current)

The current Cloud Digital Leader exam covers six domains:

  1. Digital Transformation with Google Cloud (~17%)
  2. Exploring Data Transformation with Google Cloud (~16%)
  3. Innovating with Google Cloud Artificial Intelligence (~16%)
  4. Modernizing Infrastructure and Applications with Google Cloud (~17%)
  5. Trust and Security with Google Cloud (~17%)
  6. Scaling with Google Cloud Operations (~17%)

Google Cloud – Cloud Digital Leader Certification Resources

Google Cloud – Cloud Digital Leader Certification Topics

General cloud knowledge

  1. Define basic cloud technologies. Considerations include:
    1. Differentiate between traditional infrastructure, public cloud, and private cloud
      1. Traditional infrastructure includes on-premises data centers
      2. Public cloud include Google Cloud, AWS, and Azure
      3. Private Cloud includes services like AWS Outpost
    2. Define cloud infrastructure ownership
    3. Shared Responsibility Model
      1. Security of the Cloud is Google Cloud’s responsibility
      2. Security on the Cloud depends on the services used and is shared between Google Cloud and the Customer
    4. Essential characteristics of cloud computing
      1. On-demand computing
      2. Pay-as-you-use
      3. Scalability and Elasticity
      4. High Availability and Resiliency
      5. Security
  2. Differentiate cloud service models. Considerations include:
    1. Infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS)
      1. IaaS – everything is done by you – more flexibility more management
      2. PaaS – most of the things are done by Cloud with few things done by you – moderate flexibility and management
      3. SaaS – everything is taken care of by the Cloud, you would just use it – no flexibility and management
    2. Describe the trade-offs between level of management versus flexibility when comparing cloud services
    3. Define the trade-offs between costs versus responsibility
    4. Appropriate implementation and alignment with given budget and resources
  3. Identify common cloud procurement financial concepts. Considerations include:
    1. Operating expenses (OpEx), capital expenditures (CapEx), and total cost of operations (TCO)
      1. On-premises has more of Capex and less OpEx
      2. Cloud has no to least Capex and more of OpEx
    2. Recognize the relationship between OpEx and CapEx related to networking and compute infrastructure
    3. Summarize the key cost differentiators between cloud and on-premises environments

General Google Cloud knowledge

  1. Recognize how Google Cloud meets common compliance requirements. Considerations include:
    1. Locating current Google Cloud compliance requirements
    2. Familiarity with Compliance Reports Manager
  2. Recognize the main elements of Google Cloud resource hierarchy. Considerations include:
    1. Describe the relationship between organization, folders, projects, and resources i.e. Organization -> Folder -> Folder or Projects -> Resources
  3. Describe controlling and optimizing Google Cloud costs. Considerations include:
    1. Google Cloud billing models and applicability to different service classes
    2. Define a consumption-based use model
    3. Application of discounts (e.g., flat-rate, committed-use discounts [CUD], sustained-use discounts [SUD])
      1. Sustained-use discounts [SUD] are automatic discounts for running specific resources for a significant portion of the billing month
      2. Committed use discounts [CUD] help with committed use contracts in return for deeply discounted prices for VM usage
  4. Describe Google Cloud’s geographical segmentation strategy. Considerations include:
    1. Regions are collections of zones. Zones have high-bandwidth, low-latency network connections to other zones in the same region. Regions help design fault-tolerant and highly available solutions.
    2. Zones are deployment areas within a region and provide the lowest latency usually less than 10ms
    3. Regional resources are accessible by any resources within the same region
    4. Zonal resources are hosted in a zone are called per-zone resources.
    5. Multiregional resources or Global resources are accessible by any resource in any zone within the same project.
  5. Define Google Cloud support options. Considerations include:
    1. Distinguish between billing support, technical support, role-based support, and enterprise support
      1. Role-Based Support provides more predictable rates and a flexible configuration. Although they are legacy, the exam does cover these.
      2. Enterprise Support provides the fastest case response times and a dedicated Technical Account Management (TAM) contact who helps you execute a Google Cloud strategy.
    2. Recognize a variety of Service Level Agreement (SLA) applications

Google Cloud products and services

  1. Describe the benefits of Google Cloud virtual machine (VM)-based compute options. Considerations include:
    1. Compute Engine provides virtual machines (VM) hosted on Google’s infrastructure.
    2. Google Cloud VMware Engine helps easy lift and shift VMware-based applications to Google Cloud without changes to the apps, tools, or processes
    3. Bare Metal lets businesses run specialized workloads such as Oracle databases close to Google Cloud while lowering overall costs and reducing risks associated with migration
    4. Custom versus standard sizing
    5. Free, premium, and custom service options
    6. Attached storage/disk options
    7. Spot VMs (formerly Preemptible VMs) are instances that can be created and run at a much lower price than standard instances. Google Cloud can reclaim them at any time when resources are needed. Spot VMs are the recommended replacement for Preemptible VMs.
      ⚠️ Note: Preemptible VMs have been superseded by Spot VMs. Google recommends using Spot VMs for fault-tolerant, batch, and stateless workloads. Spot VMs have no maximum 24-hour runtime limit unlike legacy Preemptible VMs.
  2. Identify and evaluate container-based compute options. Considerations include:
    1. Define the function of a container registry
      1. Artifact Registry is the recommended service to manage container images, perform vulnerability analysis, and manage access control. It supports Docker images, language packages, and OS packages.
        ⚠️ Note: Container Registry was shut down on March 18, 2025. All users must use Artifact Registry which provides all Container Registry functionality plus additional features including multi-format support and regional repositories.
    2. Distinguish between VMs, containers, and Google Kubernetes Engine
  3. Identify and evaluate serverless compute options. Considerations include:
    1. Define the function and use of App Engine, Cloud Functions, and Cloud Run
    2. Define rationale for versioning with serverless compute options
    3. Cost and performance tradeoffs of scale to zero
      1. Scale to zero helps provides cost efficiency by scaling down to zero when there is no load but comes with an issue with cold starts
      2. Serverless technologies like Cloud Functions, Cloud Run, App Engine Standard provide these capabilities
  4. Identify and evaluate multiple data management offerings. Considerations include:
    1. Describe the differences and benefits of Google Cloud’s relational and non-relational database offerings
      1. Cloud SQL provides fully managed, relational SQL databases and offers MySQL, PostgreSQL, MSSQL databases as a service
      2. Cloud Spanner provides fully managed, relational SQL databases with joins and secondary indexes
      3. AlloyDB for PostgreSQL is a fully managed, PostgreSQL-compatible database service designed for demanding enterprise workloads, offering up to 4x faster performance than standard PostgreSQL
      4. Cloud Bigtable provides a scalable, fully managed, non-relational NoSQL wide-column analytical big data database service suitable for low-latency single-point lookups and precalculated analytics
      5. Firestore is a fully managed, serverless NoSQL document database for mobile, web, and server development
      6. BigQuery provides fully managed, no-ops, OLAP, enterprise data warehouse (EDW) with SQL and fast ad-hoc queries.
    2. Describe Google Cloud’s database offerings and how they compare to commercial offerings
  5. Distinguish between ML/AI offerings. Considerations include:
    1. Describe the differences and benefits of Google Cloud’s AI and ML services
      1. Vertex AI is Google Cloud’s unified AI/ML platform for building, deploying, and scaling ML models and AI applications
      2. Gemini is Google’s multimodal large language model available through Vertex AI for generative AI use cases
    2. Identify when to train your own model, use a Google Cloud pre-trained model, or build on an existing model
      1. Vision AI provides out-of-the-box pre-trained models to extract data from images
      2. Vertex AI AutoML provides the ability to train custom models with minimal ML expertise
      3. BigQuery ML provides support for limited models and SQL interface
      4. Gemini and other foundation models allow fine-tuning for domain-specific tasks
    3. Understand generative AI concepts
      1. Large Language Models (LLMs), foundation models, and multimodal models
      2. Prompting, fine-tuning, and grounding
      3. Responsible AI principles
  6. Differentiate between data movement and data pipelines. Considerations include:
    1. Describe Google Cloud’s data pipeline offerings
      1. Cloud Pub/Sub provides reliable, many-to-many, asynchronous messaging between applications. By decoupling senders and receivers, Google Cloud Pub/Sub allows developers to communicate between independently written applications.
      2. Cloud Dataflow is a fully managed service for strongly consistent, parallel data-processing pipelines
      3. Cloud Data Fusion is a fully managed, cloud-native, enterprise data integration service for quickly building & managing data pipelines
      4. BigQuery Service is a fully managed, highly scalable data analysis service that enables businesses to analyze Big Data.
      5. Looker provides an enterprise platform for business intelligence, data applications, and embedded analytics.
      6. Data Studio (formerly known as Looker Studio) is a free, self-service data visualization and reporting tool for creating interactive dashboards.
    2. Define data ingestion options
  7. Apply use cases to a high-level Google Cloud architecture. Considerations include:
    1. Define Google Cloud’s offerings around the Software Development Life Cycle (SDLC)
    2. Describe Google Cloud’s platform visibility and alerting offerings covers Cloud Monitoring and Cloud Logging
  8. Describe solutions for migrating workloads to Google Cloud. Considerations include:
    1. Identify data migration options
      1. Storage Transfer Service for transferring data between cloud storage providers
      2. Transfer Appliance for large-scale offline data migration
      3. Database Migration Service for migrating databases to Cloud SQL and AlloyDB
    2. Differentiate when to use Migrate to Virtual Machines versus Migrate to Containers
      1. Migrate to Virtual Machines (formerly Migrate for Compute Engine) provides fast, flexible, and safe VM migration to Google Cloud
        ⚠️ Note: Migrate for Compute Engine was deprecated on April 30, 2024 and replaced by Migrate to Virtual Machines.
      2. Migrate to Containers (formerly Migrate for Anthos and GKE) makes it fast and easy to modernize traditional applications away from virtual machines and into native containers. This significantly reduces the cost and labor that would be required for a manual application modernization project.
    3. Distinguish between lift and shift versus application modernization
      1. Lift and shift involves migration with zero to minimal changes and is usually performed with time constraints
      2. Application modernization requires a redesign of infra and applications and takes time. It can include moving legacy monolithic architecture to microservices architecture, building CI/CD pipelines for automated builds and deployments, frequent releases with zero downtime, etc.
  9. Describe networking to on-premises locations. Considerations include:
    1. Define Software-Defined WAN (SD-WAN)
    2. Determine the best connectivity option based on networking and security requirements – covers Cloud VPN, Interconnect, and Peering.
    3. Private Google Access provides access from VM instances to Google services like Cloud Storage or third-party services without external IP addresses
  10. Define identity and access features. Considerations include:
    1. Cloud Identity & Access Management (Cloud IAM) provides administrators the ability to manage cloud resources centrally by controlling who can take what action on specific resources.
    2. Google Cloud Directory Sync enables administrators to synchronize users, groups, and other data from an Active Directory/LDAP service to their Google Cloud domain directory.

Related Google Cloud Certifications

After completing the Cloud Digital Leader certification, consider the following paths:

GCP Professional Cloud Developer Cert Path

Google Cloud Profressional Cloud Developer Certificate

Google Cloud – Professional Cloud Developer Certification learning path

📌 Last Updated: June 2026 — This post has been updated to reflect current exam format, service renamings (Cloud Run functions, Spot VMs, Sensitive Data Protection), deprecated services (Cloud Debugger shut down May 2023), and the transition to Pearson VUE for exam delivery.

Continuing on the Google Cloud Journey, glad to have passed the sixth certification with the Professional Cloud Developer certification.

Google Cloud – Professional Cloud Developer Certification Summary

  • The exam has 50-60 multiple choice and multiple select questions to be answered in 2 hours.
  • Registration fee is $200 (plus tax where applicable).
  • Covers a wide range of Google Cloud services mainly focusing on application development, containerization, CI/CD pipelines, and cloud service integration.
  • As of March 2026, exams are delivered through Pearson VUE (previously Kryterion). You can take the exam online-proctored or at a testing center.
  • Exams are being updated to reflect product updates announced at Google Cloud Next ’26, including Gemini and AI-related services. Refer to the exam guide for current topics.
  • Make sure you cover the case studies beforehand. I got ~5-6 questions and it can really be a savior for you in the exams.
  • As mentioned for all the exams, Hands-on is a MUST, if you have not worked on GCP before make sure you do lots of labs else you would be absolutely clueless about some of the questions and commands.
  • Google recommends 3+ years of industry experience including 1+ years designing and managing solutions using Google Cloud.

Google Cloud – Professional Cloud Developer Certification Resources

Google Cloud – Professional Cloud Developer Certification Topics

Case Studies

Compute Services

  • Compute services like Google Compute Engine, Google Kubernetes Engine, Cloud Run, and App Engine are covered with focus on selecting the right platform and security aspects.
  • Google Compute Engine
    • Google Compute Engine is the best IaaS option for compute and provides fine-grained control.
    • Compute Engine is recommended to be used with Service Account with the least privilege to provide access to Google services and the information can be queried from instance metadata.
    • Compute Engine Persistent disks can be attached to multiple VMs in read-only mode.
    • Compute Engine launch issues reasons:
      • Boot disk is full.
      • Boot disk is corrupted.
      • Boot Disk has an invalid master boot record (MBR).
      • Quota Errors.
      • Can be debugged using Serial console.
    • Spot VMs (previously known as Preemptible VMs) and their use cases. Spot VMs are the recommended replacement — they have no 24-hour maximum lifetime (unlike legacy Preemptible VMs) and run indefinitely as long as capacity is available. HINT — shutdown script to perform cleanup actions.
  • Cloud Run
    • Cloud Run is a fully managed serverless platform for deploying and running containerized applications without managing infrastructure.
    • Cloud Run services — run containers that are invocable via HTTP requests or events, with automatic scaling (including scale-to-zero).
    • Cloud Run jobs — run containers to completion for batch workloads, scripts, and data processing tasks (GA since 2023).
    • Cloud Run functions (formerly Cloud Functions, renamed August 2024) — event-driven functions with the same simple programming model, now deployed on Cloud Run infrastructure with fine-grained control over concurrency, CPU/memory, and networking.
    • Cloud Run supports GPU access for AI/ML inference workloads.
    • Cloud Run integrates with Eventarc for event delivery from 130+ Google Cloud sources.
    • Supports minimum instances to avoid cold starts, and maximum instances to control costs.
  • Google Kubernetes Engine
    • Google Kubernetes Engine enables running containers on Google Cloud.
    • GKE Autopilot is the recommended fully managed mode — Google manages nodes, nodepools, and scaling. In 2024, 30% of active GKE clusters used Autopilot mode. As of 2026, Autopilot is available to all qualifying clusters.
    • Understand GKE containers, Pods, Deployments, Service, DaemonSet, StatefulSets:
      • Pods are the smallest, most basic deployable objects in Kubernetes. A Pod represents a single instance of a running process in the cluster and can contain single or multiple containers.
      • Deployments represent a set of multiple, identical Pods with no unique identities. A Deployment runs multiple replicas of the application and automatically replaces any instances that fail or become unresponsive.
      • StatefulSets represent a set of Pods with unique, persistent identities and stable hostnames that GKE maintains regardless of where they are scheduled.
      • DaemonSets manage groups of replicated Pods. DaemonSets attempt to adhere to a one-Pod-per-node model, either across the entire cluster or a subset of nodes.
      • Service is to group a set of Pod endpoints into a single resource. GKE Services can be exposed as ClusterIP, NodePort, and Load Balancer.
      • Ingress object defines rules for routing HTTP(S) traffic to applications running in a cluster. An Ingress object is associated with one or more Service objects.
      • Gateway API is the next-generation routing API for Kubernetes (successor to Ingress). It provides expressive, extensible, and role-oriented traffic routing with built-in capabilities for header-based matching, traffic weighting, and traffic splitting.
    • GKE supports Horizontal Pod Autoscaler (HPA) to autoscale deployments based on CPU and Memory.
    • GKE supports health checks using liveness and readiness probes:
      • Readiness probes are designed to let Kubernetes know when the app is ready to serve traffic.
      • Liveness probes let Kubernetes know if the app is alive or dead.
    • Understand Workload Identity Federation for GKE (formerly Workload Identity) for security — the recommended way to provide Pods running on the cluster access to Google resources without service account keys.
    • GKE integrates with Istio/Anthos Service Mesh for mTLS and service-to-service security.
  • Google App Engine
  • Cloud Tasks
    • is a fully managed service that allows you to manage the execution, dispatch, and delivery of a large number of distributed tasks.

Security Services

  • Cloud Identity-Aware Proxy
    • Identity-Aware Proxy IAP allows managing access to HTTP-based apps both on Google Cloud and outside of Google Cloud.
    • IAP uses Google identities and IAM and can leverage external identity providers as well like OAuth with Facebook, Microsoft, SAML, etc.
    • Signed headers using JWT provide secondary security in case someone bypasses IAP.
  • Sensitive Data Protection (formerly Cloud DLP)
    • Sensitive Data Protection (previously Cloud Data Loss Prevention / Cloud DLP) is a fully managed service designed to help discover, classify, and protect the most sensitive data.
    • Provides key features:
      • Classification/Inspection — inspect the data and know what data you have, how sensitive it is, and the likelihood.
      • De-identification — the process of removing, masking, redaction, replacing information from data.
      • Discovery — continuously monitors data resources in your organization, profiling data sensitivity and risk levels across BigQuery, Cloud Storage, and Datastore.
  • Web Security Scanner
    • Web Security Scanner identifies security vulnerabilities in the App Engine, GKE, and Compute Engine web applications.
    • Scans provide information about application vulnerability findings, like OWASP, XSS, Flash injection, outdated libraries, cross-site scripting, clear-text passwords, or use of mixed content.
  • Secret Manager
    • Secret Manager stores API keys, passwords, certificates, and other sensitive data securely.
    • Provides versioning, automatic rotation, and fine-grained IAM access control.
    • Integrates natively with Cloud Run, GKE, and Cloud Build for secure secret injection.

Networking Services

  • Virtual Private Cloud
    • Understand Virtual Private Cloud (VPC), subnets, and host applications within them.
    • Private Access options for services allow instances with internal IP addresses to communicate with Google APIs and services.
    • Private Google Access allows VMs to connect to the set of external IP addresses used by Google APIs and services by enabling Private Google Access on the subnet used by the VM’s network interface.
  • Cloud Load Balancing
    • Google Cloud Load Balancing provides scaling, high availability, and traffic management for your internet-facing and private applications.

Identity Services

  • Resource Manager
    • Understand Resource Manager the hierarchy Organization → Folders → Projects → Resources.
    • IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
    • Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.
  • Identity and Access Management
    • Identify and Access Management – IAM provides administrators the ability to manage cloud resources centrally by controlling who can take what action on specific resources.
    • A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person.
    • Understand IAM Best Practices:
      • Use groups for users requiring the same responsibilities.
      • Use service accounts for server-to-server interactions.
      • Use Workload Identity Federation instead of service account keys for external workloads and GKE pods.
      • Use Organization Policy Service to get centralized and programmatic control over the organization’s cloud resources.
    • Domain-wide delegation of authority to grant third-party and internal applications access to the users’ data (e.g., Google Drive).

Storage Services

  • Cloud Storage
    • Cloud Storage is cost-effective object storage for unstructured data and provides an option for long term data retention.
    • Understand Signed URL to give temporary access and the users do not need to be GCP users. HINT: Signed URL would work for direct upload to GCS without routing the traffic through App Engine or CE.
    • Understand Google Cloud Storage Classes and Object Lifecycle Management to transition objects.
    • Retention Policies help define the retention period for the bucket, before which the objects in the bucket cannot be deleted.
    • Bucket Lock feature allows configuring a data retention policy for a bucket that governs how long objects in the bucket must be retained. The feature also allows locking the data retention policy, permanently preventing the policy from being reduced or removed.
    • Know Cloud Storage Best PracticesGCS auto-scaling performs well if requests ramp up gradually rather than having a sudden spike. Also, retry using exponential back-off strategy.
    • Cloud Storage can be used to host static websites.
    • Cloud CDN can be used with Cloud Storage to improve performance and enable caching.
  • Firestore
    • Firestore (successor to Cloud Datastore) provides a managed NoSQL document database built for automatic scaling, high performance, and ease of application development.
    • Firestore operates in Native mode (real-time sync, offline support) or Datastore mode (backward compatible with Cloud Datastore).
  • Artifact Registry
    • Artifact Registry is the recommended container and package registry (Container Registry was shut down on March 18, 2025).
    • Supports Docker images, language packages (Maven, npm, Python, etc.), and OS packages.
    • Integrates with Cloud Build for CI/CD pipelines and provides vulnerability scanning.

Developer Tools

  • Google Cloud Build
    • Cloud Build is a serverless CI/CD platform that integrates with GitHub, GitLab, and Bitbucket (Cloud Source Repositories is no longer available to new customers as of June 2024; Secure Source Manager is the replacement).
    • Cloud Build can import source code, execute build to specifications, and produce artifacts such as Docker containers or Java archives.
    • Cloud Build build config file specifies the instructions to perform, with steps defined for each task like test, build, and deploy.
    • Cloud Build supports custom images as well for the steps.
    • Cloud Build uses a directory named /workspace as a working directory and the assets produced by one step can be passed to the next one via the persistence of the /workspace directory.
    • Cloud Build 2nd gen repositories provide improved integration with GitHub and GitLab.
  • Google Cloud Code
    • Cloud Code helps write, debug, and deploy cloud-based applications for IntelliJ, VS Code, or in the browser.
  • Google Cloud Client Libraries
    • Google Cloud Client Libraries provide client libraries and SDKs in various languages for calling Google Cloud APIs.
    • If the language is not supported, Cloud REST APIs can be used.
  • Deployment Techniques
    • Recreate deployment — fully scale down the existing application version before you scale up the new application version.
    • Rolling update — update a subset of running application instances instead of simultaneously updating every application instance.
    • Blue/Green deployment — (also known as a red/black deployment), perform two identical deployments of your application.
    • GKE supports Rolling and Recreate deployments.
      • Rolling deployments support maxSurge (new pods would be created) and maxUnavailable (existing pods would be deleted).
    • Managed Instance Groups support Rolling deployments using maxSurge and maxUnavailable configurations.
    • Cloud Run supports traffic splitting for gradual rollouts (route percentages between revisions).
  • Testing Strategies
    • Canary testing — partially roll out a change and then evaluate its performance against a baseline deployment.
    • A/B testing — test a hypothesis by using variant implementations. A/B testing is used to make business decisions (not only predictions) based on the results derived from data.

Data Services

  • Bigtable
  • Cloud Pub/Sub
    • Understand Cloud Pub/Sub as an asynchronous messaging service.
    • Know patterns for One to Many, Many to One, and Many to Many.
    • roles/publisher and roles/pubsub.subscriber provides applications with the ability to publish and consume.
  • Cloud SQL
    • Cloud SQL is a fully managed service that provides MySQL, PostgreSQL, and Microsoft SQL Server.
    • HA configuration provides data redundancy and failover capability with minimal downtime when a zone or instance becomes unavailable.
    • Read replicas help scale horizontally the use of data in a database without degrading performance.
  • Cloud Spanner
    • is a fully managed relational database with unlimited scale, strong consistency, and up to 99.999% availability.
    • Can read and write up-to-date strongly consistent data globally.
    • Multi-region instances give higher availability guarantees (99.999% availability) and global scale.
    • Cloud Spanner’s table interleaving is a good choice for many parent-child relationships where the child table’s primary key includes the parent table’s primary key columns.

Monitoring & Observability

  • Google Cloud Monitoring (part of Google Cloud Observability, formerly Stackdriver)
    • Provides monitoring, alerting, error reporting, metrics, and diagnostics.
    • Cloud Monitoring helps gain visibility into the performance, availability, and health of your applications and infrastructure.
  • Google Cloud Logging
    • Cloud Logging provides real-time log management and analysis.
    • Cloud Logging allows ingestion of custom log data from any source.
    • Logs can be exported by configuring log sinks to BigQuery, Cloud Storage, or Pub/Sub.
    • Cloud Logging Agent (Ops Agent) can be installed for logging and capturing application logs.
  • Cloud Error Reporting
    • Counts, analyzes, and aggregates the crashes in the running cloud services.
  • Cloud Trace
    • is a distributed tracing system that collects latency data from the applications and displays it in the Google Cloud Console.
    • Supports OpenTelemetry Protocol (OTLP) for sending trace data — the recommended approach for new and existing users.
  • Cloud Debugger
    • ⚠️ DEPRECATED: Cloud Debugger was deprecated on May 16, 2022 and shut down on May 31, 2023. It is no longer available.

      Alternative: Use Snapshot Debugger (open-source) or standard logging/tracing with Cloud Logging and Cloud Trace for application debugging.

All the Best !!

GCP Professional Cloud Security Engineer Cert Path

GCP - Professional Cloud Security Engineer Certificate

Google Cloud – Professional Cloud Security Engineer Certification learning path

Continuing on the Google Cloud Journey, have just cleared the Professional Cloud Security certification. Google Cloud – Professional Cloud Security Engineer certification exam focuses on almost all of the Google Cloud security services with storage, compute, networking services with their security aspects only.

📋 Exam Update (2025-2026)

The Professional Cloud Security Engineer exam has been updated to include securing AI workloads (Vertex AI), software supply chain security, and VPC Service Controls as key topics. The exam now has 50-60 questions (previously 50) and costs $200. Approximately ⅓–¼ of the exam now covers Vertex AI security, VPC Service Controls, and private/public endpoint configurations.

Google Cloud – Professional Cloud Security Engineer Certification Summary

  • Has 50-60 questions to be answered in 2 hours.
  • Registration fee: $200 (plus tax where applicable)
  • Available in English and Japanese
  • Can be taken online-proctored or at a testing center
  • Covers a wide range of Google Cloud services mainly focusing on security and network services
  • Recommended experience: 3+ years of industry experience including 1+ years designing and managing solutions using Google Cloud
  • As mentioned for all the exams, Hands-on is a MUST, if you have not worked on GCP before make sure you do lots of labs else you would be absolutely clueless about some of the questions and commands
  • Certification is valid for 3 years and can be renewed within the renewal eligibility period
  • The exam now covers five key domains:
    • Configuring Access (~25%)
    • Securing Communications and Establishing Boundary Protection (~22%)
    • Ensuring Data Protection (~23%)
    • Managing Operations (~19%)
    • Supporting Compliance Requirements (~11%)

Google Cloud – Professional Cloud Security Engineer Certification Resources

Google Cloud – Professional Cloud Security Engineer Certification Topics

Security Services

  • Google Cloud – Security Services Cheat Sheet
  • Cloud Key Management Service – KMS
    • Cloud KMS provides a centralized, scalable, fast cloud key management service to manage encryption keys
    • KMS Key is a named object containing one or more key versions, along with metadata for the key.
    • KMS KeyRing provides grouping keys with related permissions that allow you to grant, revoke, or modify permissions to those keys at the key ring level without needing to act on each key individually.
    • Supports Autokey (GA 2024) for automatic key provisioning and assignment to protect data at rest
    • Supports Cloud External Key Manager (EKM) for using keys managed in supported external key management partners
  • Cloud Armor
    • Cloud Armor protects the applications from multiple types of threats, including DDoS attacks and application attacks like XSS and SQLi
    • works with the external HTTP(S) load balancer to automatically block network protocol and volumetric DDoS attacks such as protocol floods (SYN, TCP, HTTP, and ICMP) and amplification attacks (NTP, UDP, DNS)
    • Cloud Armor Enterprise (formerly Managed Protection Plus) is the premium tier with advanced DDoS protection, Threat Intelligence, and Adaptive Protection features
    • Adaptive Protection uses ML to detect and mitigate L7 DDoS attacks automatically, trained locally on application traffic patterns
    • Hierarchical Security Policies (GA 2025) enable centralized control and delegation of security policy management across organizations
    • Enhanced WAF inspection now supports up to 64 KB request body inspection (up from 8 KB) for preconfigured WAF rules
    • with GKE needs to be configured with GKE Ingress
    • can be used to blacklist IPs
    • supports preview mode to understand patterns without blocking the users
  • Cloud Identity-Aware Proxy
    • Identity-Aware Proxy IAP allows managing access to HTTP-based apps both on Google Cloud and outside of Google Cloud.
    • IAP uses Google identities and IAM and can leverage external identity providers as well like OAuth with Facebook, Microsoft, SAML, etc.
    • Signed headers using JWT provide secondary security in case someone bypasses IAP.
    • IAP is a core component of Google’s BeyondCorp zero-trust model, now delivered through Chrome Enterprise Premium
  • Sensitive Data Protection (formerly Cloud Data Loss Prevention – DLP)
    • Cloud Data Loss Prevention (DLP) is now part of Sensitive Data Protection, a family of services designed to help discover, classify, and protect sensitive data.
    • The API name remains Cloud Data Loss Prevention API (DLP API)
    • provides two key features
      • Classification is the process to inspect the data and know what data we have, how sensitive it is, and the likelihood.
      • De-identification is the process of removing, masking, redaction, replacing information from data.
    • supports text, image, and storage classification with scans on data stored in Cloud Storage, Datastore, and BigQuery
    • supports scanning of binary, text, image, Microsoft Word, PDF, and Apache Avro files
    • Discovery service (data profiler) continuously monitors data resources and classifies data into infoTypes, assessing sensitivity and risk levels
    • Deeply integrated with Security Command Center Enterprise risk engine for continuous data monitoring
    • Supports automatic discovery of unencrypted secrets and data profiling across organizations, folders, or projects
  • Web Security Scanner
    • Web Security Scanner identifies security vulnerabilities in the App Engine, GKE, and Compute Engine web applications.
    • scans provide information about application vulnerability findings, like OWASP, XSS, Flash injection, outdated libraries, cross-site scripting, clear-text passwords, or use of mixed content
  • Security Command Center – SCC
    • is a Security and risk management platform that helps generate curated insights and provides a unique view of incoming threats and attacks to the assets
    • displays possible security risks, called findings, that are associated with each asset.
    • Available in three tiers:
      • Standard tier – Free, now automatically enabled for eligible customers; provides basic security and compliance management
      • Premium tier – Pay-as-you-go; includes Security Health Analytics, Event Threat Detection, Container Threat Detection, and VM Threat Detection
      • Enterprise tier – Subscription-based; extends protection across multiple clouds with Google SecOps integration and automated responses (Note: Enterprise tier shuts down May 21, 2027; organizations will move to Premium tier)
    • Premium and Enterprise tiers include Risk Engine for attack path simulation and toxic combination detection
  • Forseti Security
    ⚠️ DEPRECATED/ARCHIVED – Forseti Security repository was archived by Google on January 11, 2025 due to low community engagement and limited development activity. It is now read-only and no longer supported.

    Alternative: Use Security Command Center (SCC) for centralized security posture management, asset inventory, and compliance monitoring.
    • Was an open-source security toolkit for GCP resource inventory and policy enforcement
    • Kept track of the environment with inventory snapshots of GCP resources on a recurring cadence
  • Chrome Enterprise Premium (formerly BeyondCorp Enterprise)
    • BeyondCorp Enterprise was renamed to Chrome Enterprise Premium in April 2024
    • Provides zero-trust access security integrated directly within the Chrome browser
    • Enables granular access policies for personally-owned and managed devices
    • Combines threat protection, data protection, and zero-trust access in the browser
    • Works with Identity-Aware Proxy (IAP) and Access Context Manager for context-aware access
  • Access Context Manager
    • Access Context Manager allows organization administrators to define fine-grained, attribute-based access control for projects and resources
    • Access Context Manager helps reduce the size of the privileged network and move to a model where endpoints do not carry ambient authority based on the network.
    • Access Context Manager helps prevent data exfiltration with proper access levels and security perimeter rules
    • Works with VPC Service Controls to create security perimeters around Google Cloud resources
  • VPC Service Controls
    • Creates security perimeters that protect resources and data of explicitly specified services
    • Prevents data exfiltration by restricting the movement of data across perimeter boundaries
    • Critical for Vertex AI security – controls access to AI/ML endpoints and training data
    • Supports ingress and egress rules for fine-grained access policies
    • Major exam topic – understand perimeter configuration, access levels, and service restrictions

AI Security (New Exam Topic)

  • Securing Vertex AI Workloads
    • Approximately ⅓–¼ of the current exam covers Vertex AI security topics
    • Understand network security for AI endpoints (private vs public endpoint configurations)
    • Use VPC Service Controls to protect training data and model artifacts
    • Configure IAM roles for Vertex AI (roles/aiplatform.*) with least privilege
    • Understand Customer-Managed Encryption Keys (CMEK) for AI data encryption
    • Secure model serving endpoints with authentication and authorization
  • Confidential Computing
    • Provides hardware-based memory encryption for data-in-use protection
    • Confidential VMs encrypt data while processing, offering protection from cloud operator access
    • Supports secure collaboration and federated learning without revealing individual data
    • Available for Compute Engine, GKE, and AI/ML workloads

Software Supply Chain Security (New Exam Topic)

  • Binary Authorization
    • Deploy-time security control that ensures only trusted container images are deployed on GKE or Cloud Run
    • Enforces signature verification policies before deployment
  • Artifact Registry
    • Universal package manager for container images and language packages
    • Supports vulnerability scanning with Artifact Analysis
    • Replaces Container Registry (deprecated)
  • Software Delivery Shield
    • End-to-end software supply chain security solution
    • Covers source code, build, deploy, and runtime phases
    • Integrates Cloud Build, Artifact Registry, Binary Authorization, and GKE security features

Compliance

  • FIPS 140-2 Validated
    • FIPS 140-2 Validated certification was established to aid in the protection of digitally stored unclassified, yet sensitive, information.
    • Google Cloud uses a FIPS 140-2 validated encryption module called BoringCrypto in the production environment. This means that both data in transit to the customer and between data centers, and data at rest are encrypted using FIPS 140-2 validated encryption.
    • BoringCrypto module that achieved FIPS 140-2 validation is part of the BoringSSL library.
    • BoringSSL library as a whole is not FIPS 140-2 validated
  • PCI/DSS Compliance
    • PCI/DSS compliance is a shared responsibility model
    • Egress rules cannot be controlled for App Engine, Cloud Functions, and Cloud Storage. Google recommends using Compute Engine and GKE to ensure that all egress traffic is authorized.
    • Antivirus software and File Integrity monitoring must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats including containers
    • For payment processing, the security can be improved and compliance proved by isolating each of these environments into its own VPC network and reduce the scope of systems subject to PCI audit standards
  • Assured Workloads
    • Enables compliance and sovereignty controls for regulated workloads on Google Cloud
    • Supports FedRAMP, IL4, CJIS, ITAR, and regional compliance requirements
    • Automatically applies organization policy constraints and resource location restrictions

Networking Services

  • Refer Google Cloud Security Services Cheat Sheet
  • Virtual Private Cloud
    • Understand Virtual Private Cloud (VPC), subnets, and host applications within them
    • Firewall rules control the Traffic to and from instances. HINT: rules with lower integers indicate higher priorities. Firewall rules can be applied to specific tags.
    • Know implied firewall rules which deny all ingress and allow all egress
    • Understand the difference between using Service Account vs Network Tags for filtering in Firewall rules. HINT: Use SA over tags as it provides access control while tags can be easily inferred.
    • VPC Peering allows internal or private IP address connectivity across two VPC networks regardless of whether they belong to the same project or the same organization. HINT: VPC Peering uses private IPs and does not support transitive peering
    • Shared VPC allows an organization to connect resources from multiple projects to a common VPC network so that they can communicate with each other securely and efficiently using internal IPs from that network
    • Private Access options for services allow instances with internal IP addresses can communicate with Google APIs and services.
    • Private Google Access allows VMs to connect to the set of external IP addresses used by Google APIs and services by enabling Private Google Access on the subnet used by the VM’s network interface.
    • Private Service Connect provides private connectivity between VPCs and services, including Google APIs and third-party services, without exposing traffic to the public internet
    • VPC Flow Logs records a sample of network flows sent from and received by VM instances, including instances used as GKE nodes.
    • Firewall Rules Logging enables auditing, verifying, and analyzing the effects of the firewall rules
  • Hybrid Connectivity
    • Understand Hybrid Connectivity options in terms of security.
    • Cloud VPN provides secure connectivity from the on-premises data center to the GCP network through the public internet. Cloud VPN does not provide internal or private IP connectivity
    • Cloud Interconnect provides direct connectivity from the on-premises data center to the GCP network
  • Cloud NAT
    • Cloud NAT allows VM instances without external IP addresses and private GKE clusters to send outbound packets to the internet and receive any corresponding established inbound response packets.
    • Requests would not be routed through Cloud NAT if they have an external IP address
  • Cloud DNS
    • Understand Cloud DNS and its features
    • supports DNSSEC, a feature of DNS, that authenticates responses to domain name lookups and protects the domains from spoofing and cache poisoning attacks
  • Cloud Load Balancing
    • Google Cloud Load Balancing provides scaling, high availability, and traffic management for your internet-facing and private applications.
    • Understand Google Load Balancing options and their use cases esp. which is global, internal and does they support SSL offloading
      • Network Load Balancer – regional, external, pass through and supports TCP/UDP
      • Internal TCP/UDP Load Balancer – regional, internal, pass through and supports TCP/UDP
      • HTTP/S Load Balancer – regional/global, external, and supports HTTP/S
      • Internal HTTP/S Load Balancer – regional/global, internal, and supports HTTP/S
      • SSL Proxy Load Balancer – regional/global, external, proxy, supports SSL with SSL offload capability
      • TCP Proxy Load Balancer – regional/global, external, proxy, supports TCP without SSL offload capability

Identity Services

  • Resource Manager
    • Understand Resource Manager the hierarchy Organization -> Folders -> Projects -> Resources
    • IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
    • Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.
  • Identity and Access Management
    • Identify and Access Management – IAM provides administrators the ability to manage cloud resources centrally by controlling who can take what action on specific resources.
    • A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person.
    • Service Account, if accidentally deleted, can be recovered if the time gap is less than 30 days and a service account by the same name wasn’t created
    • Understand IAM Best Practices
      • Use groups for users requiring the same responsibilities
      • Use service accounts for server-to-server interactions.
      • Use Organization Policy Service to get centralized and programmatic control over the organization’s cloud resources.
    • Domain-wide delegation of authority to grant third-party and internal applications access to the users’ data for e.g. Google Drive etc.
    • Workforce Identity Federation allows external identities (from Azure AD, Okta, etc.) to access Google Cloud resources without needing Google Cloud credentials
    • Workload Identity Federation allows external workloads to access Google Cloud resources without using service account keys
    • IAM Conditions enable attribute-based access control (ABAC) for fine-grained, conditional permissions
  • Cloud Identity
    • Cloud Identity provides IDaaS (Identity as a Service) and provides single sign-on functionality and federation with external identity providers like Active Directory.
    • Cloud Identity supports federating with Active Directory using GCDS (Google Cloud Directory Sync) to implement the synchronization

Compute Services

  • Compute services like Google Compute Engine and Google Kubernetes Engine are lightly covered more from the security aspects
  • Google Compute Engine
    • Google Compute Engine is the best IaaS option for compute and provides fine-grained control
    • Managing access using OS Login or project and instance metadata
    • Compute Engine is recommended to be used with Service Account with the least privilege to provide access to Google services and the information can be queried from instance metadata.
    • Shielded VMs provide verifiable integrity of instances through Secure Boot, vTPM, and integrity monitoring
    • Confidential VMs provide hardware-based memory encryption for data-in-use protection
  • Google Kubernetes Engine
    • Google Kubernetes Engine, enables running containers on Google Cloud
    • Understand Best Practices for Building Containers
      • Package a single app per container
      • Properly handle PID 1, signal handling, and zombie processes
      • Optimize for the Docker build cache
      • Remove unnecessary tools
      • Build the smallest image possible
      • Scan images for vulnerabilities using Artifact Analysis
      • Restrict using Public Image
      • Managed Base Images
      • Use Binary Authorization to enforce deployment policies
    • GKE Security Posture dashboard provides visibility into security configurations and vulnerabilities
    • Workload Identity is the recommended way to access Google Cloud services from GKE pods (replaces node SA)

Storage Services

  • Cloud Storage
    • Cloud Storage is cost-effective object storage for unstructured data and provides an option for long term data retention
    • Understand Cloud Storage Security features
      • Understand various Data Encryption techniques including Envelope Encryption, CMEK, and CSEK. HINT: CSEK works with Cloud Storage and Persistent Disks only. CSEK manages KEK and not DEK.
      • Cloud Storage default encryption uses AES256
      • Understand Signed URL to give temporary access and the users do not need to be GCP users
      • Understand access control and permissions – IAM (Uniform) vs ACLs (fine-grained control)
      • Bucket Lock feature allows configuring a data retention policy for a bucket that governs how long objects in the bucket must be retained. The feature also allows locking the data retention policy, permanently preventing the policy from being reduced or removed
      • Object Versioning and Soft Delete for protection against accidental deletion

Monitoring

  • Google Cloud Monitoring (formerly Stackdriver)
    • provides monitoring, alert, error reporting, metrics, diagnostics, debugging, trace.
  • Google Cloud Logging (formerly Stackdriver Logging)
    • Audit logs are provided through Cloud Logging using Admin Activity and Data Access Audit logs
    • VPC Flow logs and Firewall Rules logs help monitor traffic to and from Compute Engine instances.
    • log sinks can export data to external providers via Cloud Pub/Sub, BigQuery, Cloud Storage, or third-party SIEM solutions
    • Cloud Audit Logs include Admin Activity, Data Access, System Event, and Policy Denied audit logs
  • Google Security Operations (formerly Chronicle)
    • Cloud-native SIEM and SOAR platform for threat detection, investigation, and response
    • Built on Google infrastructure for petabyte-scale security telemetry analysis
    • Integrated with Security Command Center Enterprise tier
    • Note: There is a separate Professional Security Operations Engineer certification (launched Sept 2025) for deep SecOps specialization

All the Best !!