AWS Services Overview – Whitepaper – Certification

February 8, 2018 ~ Last updated on : June 24, 2026 ~ jayendrapatil ~ 9 Comments

AWS Services Overview

AWS consists of many cloud services that can be used in combinations tailored to meet business or organizational needs. This section introduces the major AWS services by category.

NOTE – This post provides a brief overview of AWS services. It is a good introduction to start all certifications. However, it is most relevant and important for the AWS Cloud Practitioner Certification Exam.

Last updated: June 2026. Reflects current AWS service names, deprecations, and new services launched through 2024-2026.

Common Features

Almost all features can be access-controlled through AWS Identity and Access Management (IAM)
Services managed by AWS are all made Scalable and Highly Available, without any changes needed from the user
Most services support encryption at rest and in transit by default

AWS Access

AWS allows accessing its services through unified tools using

AWS Management Console – a simple and intuitive user interface
AWS Command Line Interface (CLI) – programmatic access through scripts
AWS Software Development Kits (SDKs) – programmatic access through Application Program Interface (API) tailored for programming languages (Java, .NET, Node.js, PHP, Python, Ruby, Go, C++, Rust, Kotlin, Swift) or platforms (Android, Browser, iOS)
AWS CloudShell – a browser-based shell environment pre-authenticated with console credentials
Infrastructure as Code (IaC) – AWS CloudFormation, AWS CDK, or Terraform for declarative resource provisioning

Security, Identity, and Compliance

AWS Identity and Access Management (IAM)

enables you to securely control access to AWS services and resources for the users.
allows creation of AWS users, groups and roles, and use permissions to allow and deny their access to AWS resources
helps manage IAM users and their access with individual security credentials like access keys, passwords, and multi-factor authentication devices, or request temporary security credentials
helps role creation & manage permissions to control which operations can be performed by which entity, or AWS service, that assumes the role
enables identity federation to allow existing identities in the enterprise to access AWS without the need to create an IAM user for each identity.
IAM Identity Center (formerly AWS SSO) provides centralized workforce identity management and single sign-on access to multiple AWS accounts and applications.

Amazon Inspector

is an automated vulnerability management service that continually scans workloads for software vulnerabilities and unintended network exposure.
automatically discovers and scans EC2 instances, container images in Amazon ECR, and AWS Lambda functions.
supports both agent-based and agentless scanning for EC2 instances.
produces a detailed list of security findings prioritized by a contextualized risk score that correlates CVE information with network access and exploitability factors.
integrates with AWS Security Hub for centralized findings management.

AWS Certificate Manager

helps provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services like ELB, CloudFront, and API Gateway
removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.

AWS CloudHSM

helps meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS Cloud.
allows protection of encryption keys within HSMs, designed and validated to government standards for secure key management.
helps comply with strict key management requirements without sacrificing application performance.

AWS Directory Service

provides Microsoft Active Directory (Enterprise Edition), also known as AWS Managed Microsoft AD, that enables directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud.

AWS Key Management Service (KMS)

is a managed service that makes it easy to create and control the encryption keys used to encrypt your data.
uses HSMs to protect the security of your keys.
integrates with most AWS services for seamless encryption of data at rest.

AWS Organizations

allows creation of AWS account groups, to more easily manage security and automation settings collectively
helps centrally manage multiple accounts to help scale.
helps control which AWS services are available to individual accounts using Service Control Policies (SCPs), automate new account creation, and simplify billing.

AWS Shield

is a managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS.
provides always-on detection and automatic inline mitigations that minimize application downtime and latency.
provides two tiers: Shield Standard (free, automatic) and Shield Advanced (paid, enhanced protection with 24/7 DDoS Response Team access).

AWS WAF

is a web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
gives complete control over which traffic to allow or block to web application by defining customizable web security rules.
integrates with CloudFront, Application Load Balancer, API Gateway, and AWS AppSync.

Amazon GuardDuty

is a threat detection service that continuously monitors AWS accounts, workloads, and data for malicious activity and anomalous behavior.
analyzes events from AWS CloudTrail, VPC Flow Logs, DNS logs, and other sources using machine learning and threat intelligence.
provides actionable security findings with severity levels for prioritized response.

Amazon Macie

is a data security service that discovers sensitive data using machine learning and pattern matching.
automatically discovers and protects sensitive data stored in Amazon S3, such as personally identifiable information (PII) and financial data.
provides visibility into data security risks and enables automated protection.

AWS Security Hub

provides a comprehensive view of your security posture across AWS accounts.
aggregates, organizes, and prioritizes security findings from multiple AWS services (GuardDuty, Inspector, Macie) and AWS Partner solutions.
automates security checks against best practices and industry standards.

Amazon Security Lake

automatically centralizes security data from AWS environments, SaaS providers, and on-premises sources into a purpose-built data lake.
normalizes data using the Open Cybersecurity Schema Framework (OCSF) for easier analysis.
stores data in your account using S3, giving you full control and ownership.

AWS Compute Services

Amazon Elastic Compute Cloud (EC2)

provides secure, resizable compute capacity
provides complete control of the computing resources (root access, ability to start, stop, terminate instances etc.)
reduces the time required to obtain and boot new instances to minutes
allows quick scaling of capacity, both up and down, as computing requirements change
provides developers and sysadmins tools to build failure-resilient applications and isolate themselves from common failure scenarios.
Benefits
- Elastic Web-Scale Computing – enables scaling to increase or decrease capacity within minutes.
- Flexible Cloud Hosting Services – flexibility to choose from multiple instance types (including AWS Graviton-based ARM instances for better price-performance), operating systems, and software packages.
- Reliable – offers a highly reliable environment where replacement instances can be rapidly commissioned. EC2 SLA commitment is 99.99% availability for each Region.
- Secure – works in conjunction with VPC to provide security and robust networking functionality. Allows control of IP address, exposure to Internet (using subnets), inbound and outbound access (using Security groups and NACLs).
- Inexpensive – pay only for the capacity actually used
EC2 Purchasing Options
- On-Demand Instances – pay for compute capacity by the hour or second with no long-term commitments.
- Savings Plans – flexible pricing model offering up to 72% savings in exchange for a commitment to a consistent amount of usage (measured in $/hour) for a 1 or 3-year term. Available as Compute Savings Plans or EC2 Instance Savings Plans.
- Reserved Instances – provides significant discount (up to 72%) compared to On-Demand pricing for a 1 or 3-year commitment to a specific instance type.
- Spot Instances – allows use of spare EC2 computing capacity at up to 90% discount compared to On-Demand pricing. Instances can be interrupted by AWS with a 2-minute warning.
- Dedicated Instances – run on hardware dedicated to a single customer for additional isolation.
- Dedicated Hosts – physical servers with EC2 instance capacity fully dedicated to your use, allowing use of existing server-bound software licenses.

Amazon Elastic Container Service (ECS)

is a fully managed container orchestration service that supports Docker containers.
allows running applications on a managed cluster of EC2 instances or serverlessly with AWS Fargate.
eliminates the need to install, operate, and scale cluster management infrastructure.
can schedule the placement of containers across the cluster based on resource needs and availability requirements.
integrates with Elastic Load Balancing, VPC, IAM, CloudWatch, and other AWS services.

Amazon Elastic Kubernetes Service (EKS)

is a managed Kubernetes service that makes it easy to run Kubernetes on AWS without needing to install and operate your own Kubernetes control plane.
runs upstream Kubernetes, ensuring compatibility with existing Kubernetes applications and tools.
automatically manages the availability and scalability of the Kubernetes control plane nodes.
supports running pods on EC2 instances, AWS Fargate (serverless), or on-premises with EKS Anywhere.
EKS Auto Mode automatically provisions and manages compute, networking, and storage for Kubernetes clusters.

Amazon Elastic Container Registry (ECR)

is a fully managed Docker container registry that makes it easy to store, manage, and deploy Docker container images.
is integrated with Amazon ECS and EKS, simplifying development to production workflow.
eliminates the need to operate container repositories or worry about scaling the underlying infrastructure.
supports OCI images and artifacts, private and public repositories.

AWS Fargate

is a serverless compute engine for containers that works with both Amazon ECS and Amazon EKS.
removes the need to provision, configure, or scale clusters of virtual machines to run containers.
allocates the right amount of compute resources, eliminating the need to choose instance types or manage scaling.
each task or pod runs in its own isolated environment for workload isolation by design.

Amazon Lightsail

is designed to be the easiest way to launch and manage a virtual private server with AWS.
plans include everything needed to jumpstart a project – a virtual machine, SSD-based storage, data transfer, DNS management, and a static IP address – for a low, predictable price.

AWS Batch

enables developers, scientists, and engineers to easily and efficiently run hundreds of thousands of batch computing jobs on AWS.
dynamically provisions the optimal quantity and type of compute resources based on the volume and specific resource requirements of the batch jobs submitted.
plans, schedules, and executes the batch computing workloads across the full range of AWS compute services and features.

AWS Elastic Beanstalk

is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.
automatically handles the deployment, from capacity provisioning, load balancing, and auto scaling to application health monitoring.
provides full control over the AWS resources with access to the underlying resources at any time.

AWS Lambda

enables running code without provisioning or managing servers, with automatic scaling for high availability.
pay only for the compute time consumed – there is no charge when the code is not running.
can be triggered from other AWS services or called directly from any web or mobile app.
supports container images up to 10 GB, up to 10 GB of memory, and execution durations up to 15 minutes.
supports multiple runtimes including Node.js, Python, Java, .NET, Go, Ruby, and custom runtimes.

AWS App Runner

is a fully managed service for building, deploying, and running containerized web applications and APIs at scale.
automatically builds and deploys from source code or container images with no infrastructure management required.
handles load balancing, scaling, and TLS certificate management automatically.

Auto Scaling

helps maintain application availability
allows scaling EC2 capacity up or down automatically according to defined conditions or demand spikes to reduce cost
helps ensure desired number of EC2 instances are running always
AWS Auto Scaling provides unified scaling for multiple resources (EC2, ECS, DynamoDB, Aurora) through scaling plans.
supports target tracking, step scaling, and predictive scaling policies.

Storage

Amazon Simple Storage Service (S3)

is object storage with a simple web service interface to store and retrieve any amount of data from anywhere on the web.
S3 Features
- Durable – designed for durability of 99.999999999% (11 nines) of objects. Data is redundantly stored across multiple facilities and multiple devices in each facility.
- Available – designed for up to 99.99% availability (Standard) of objects over a given year.
- Scalable – can store virtually unlimited data
- Secure – supports data in transit over SSL and data at rest encryption. Bucket policies, ACLs, and IAM can manage object permissions. S3 Block Public Access provides account-level settings to prevent unintended public access.
- Storage Classes – multiple classes for different use cases:
  - S3 Standard – frequently accessed data
  - S3 Intelligent-Tiering – automatically moves data between access tiers based on usage patterns
  - S3 Standard-IA – infrequently accessed data
  - S3 One Zone-IA – infrequently accessed, single-AZ
  - S3 Glacier Instant Retrieval – archive with millisecond retrieval
  - S3 Glacier Flexible Retrieval (formerly Glacier) – archive with minutes to hours retrieval
  - S3 Glacier Deep Archive – lowest-cost archive with 12-48 hour retrieval
- Lifecycle Policies – automatically transition data between storage classes

Amazon Elastic Block Store (EBS)

provides persistent block storage volumes for use with EC2 instances
offers the consistent and low-latency performance needed to run workloads.
allows scaling up or down within minutes
EBS Features
- High Performance Volumes – Choose between SSD-backed (gp3, io2 Block Express) or HDD-backed (st1, sc1) volumes for performance needs.
- Availability – designed for 99.999% availability, automatically replicates within its Availability Zone.
- Encryption – provides seamless support for data-at-rest and data-in-transit between EC2 instances and EBS volumes.
- Snapshots – create point-in-time snapshots backed up to S3 for long-term durability. Supports EBS Snapshots Archive for low-cost long-term retention.

Amazon Elastic File System (EFS)

provides simple, scalable, elastic file storage for use with AWS compute services and on-premises resources.
storage capacity is elastic, growing and shrinking automatically as files are added and removed.
works in shared mode, where multiple compute instances can access an EFS file system at the same time (NFS protocol).
can be mounted on on-premises servers via AWS Direct Connect or VPN.
is designed for high availability and durability across multiple AZs.
offers Standard and One Zone storage classes, each with Infrequent Access tiers.

Amazon FSx

provides fully managed third-party file systems with native compatibility for various workloads.
FSx for Windows File Server – fully managed Windows native file system with SMB protocol support, Active Directory integration.
FSx for Lustre – high-performance file system for compute-intensive workloads (ML, HPC, media processing).
FSx for NetApp ONTAP – fully managed NetApp ONTAP file system with multi-protocol access.
FSx for OpenZFS – fully managed OpenZFS file system for Linux workloads.

AWS Storage Gateway

seamlessly enables hybrid storage between on-premises storage environments and the AWS Cloud
combines a multi-protocol storage appliance with highly efficient network connectivity to AWS cloud storage services.
provides three gateway types: S3 File Gateway, FSx File Gateway, Volume Gateway, and Tape Gateway.

AWS Backup

is a fully managed backup service that centralizes and automates the backup of data across AWS services.
supports EC2, EBS, RDS, DynamoDB, EFS, FSx, Storage Gateway, and more.
provides a central backup console, backup policies, and cross-Region/cross-account backup capabilities.

Databases

Amazon Aurora

is a MySQL and PostgreSQL compatible relational database engine
provides the speed and availability of high-end commercial databases with the simplicity and cost-effectiveness of open source databases.
Benefits
- Highly Secure – provides network isolation using VPC, encryption at rest using KMS, and encryption of data in transit using SSL.
- Highly Scalable – automatically grows storage as needed, up to 128 TB.
- High Availability and Durability – designed for greater than 99.99% availability. Six copies of data replicated across three AZs. Instance failover typically requires less than 30 seconds.
- Fully Managed – database management tasks like provisioning, patching, backup, recovery, and failover are automated.
- Aurora Serverless v2 – automatically scales capacity up and down based on application demand, ideal for variable or unpredictable workloads.

Amazon Relational Database Service (RDS)

makes it easy to set up, operate, and scale a relational database
provides cost-efficient and resizable capacity while managing time-consuming database administration tasks
supports Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle, and Microsoft SQL Server
Benefits
- Fast and Easy to Administer – no need for infrastructure provisioning or database software installation and maintenance.
- Highly Scalable – allows quick scaling of compute and storage resources. Read Replicas available to offload read traffic.
- Available and Durable – Multi-AZ deployments synchronously replicate data to a standby instance in a different AZ. Automated backups, snapshots, and automatic host replacement.
- Secure – network isolation using VPC, encryption at rest with KMS, encryption in transit with SSL.
- Inexpensive – pay low rates with On-Demand or Reserved Instance pricing.
- RDS Proxy – a fully managed database proxy that makes applications more scalable and resilient to database failures.

Amazon DynamoDB

is a fully managed, serverless, key-value and document NoSQL database designed for single-digit millisecond performance at any scale.
supports both document and key-value data models.
Benefits
- Fast, Consistent Performance – designed to deliver consistent, fast performance at any scale using SSD storage and automatic partitioning.
- Highly Scalable – manages all scaling to achieve specified throughput capacity. Supports on-demand and provisioned capacity modes.
- Event-Driven Programming – DynamoDB Streams and integration with Lambda enable applications that automatically react to data changes.
- Global Tables – provides fully managed multi-Region, multi-active replication for globally distributed applications.
- DAX (DynamoDB Accelerator) – in-memory caching for DynamoDB delivering microsecond read latency.

Amazon ElastiCache

is a web service that makes it easy to deploy, operate, and scale an in-memory cache in the cloud.
helps improve the performance of web applications by allowing retrieval from fast, managed, in-memory caches instead of slower disk-based databases.
supports two open-source in-memory caching engines: Redis (now Valkey-compatible) and Memcached.

Amazon MemoryDB

is a durable, Redis/Valkey-compatible, in-memory database service for ultra-fast performance.
delivers microsecond reads and single-digit millisecond writes with Multi-AZ durability.
can be used as a primary database for applications requiring both high performance and data durability.

Amazon DocumentDB

is a fully managed document database service that supports MongoDB workloads.
designed for JSON data management at scale with automatic scaling storage.

Amazon Neptune

is a fully managed graph database service for building applications that work with highly connected datasets.
supports Property Graph and RDF models with Apache TinkerPop Gremlin and SPARQL query languages.

Amazon Keyspaces

is a scalable, highly available, and fully managed Apache Cassandra-compatible database service.
serverless – pay only for the resources you use and the table automatically scales up and down.

Migration

AWS Application Discovery Service

helps plan application migration projects by automatically identifying applications running in on-premises data centers, their associated dependencies, and performance profiles.
automatically collects configuration and usage data from servers, storage, and networking equipment.
information is retained in encrypted format and can be exported for use with visualization tools or cloud migration solutions.

AWS Database Migration Service (DMS)

helps migrate databases to AWS easily and securely
source database remains fully operational during the migration, minimizing downtime.
supports homogeneous migrations (e.g., Oracle to Oracle) and heterogeneous migrations (e.g., Oracle to Aurora, SQL Server to MySQL).
allows streaming data to Redshift, S3, and other targets from supported sources.
can also be used for continuous data replication with high availability.
AWS Schema Conversion Tool (SCT) helps convert database schemas between different database engines.

AWS Application Migration Service (AWS MGN / AWS Transform MGN)

is the recommended service for lift-and-shift (rehost) migrations to AWS, replacing the deprecated AWS Server Migration Service.
automates the conversion of source servers (physical, virtual, or cloud) into native Amazon EC2 instances.
provides continuous block-level replication, short cutover windows, and automated testing.
Note: Previously called AWS Application Migration Service (MGN), now rebranded as AWS Transform MGN (June 2026).

AWS Snow Family

⚠️ Note: The AWS Snow Family is being wound down. As of November 2025, Snowball Edge devices are only available to existing customers. New customers should use AWS DataSync, AWS Data Transfer Terminal, or AWS Partner solutions.

AWS Snowball Edge (existing customers only) – a data transfer and edge computing device with on-board storage and compute capabilities. Can move large amounts of data and support local workloads.
AWS Snowmobile – Retired (March 2024). No longer available.
Migration Alternatives:
- AWS DataSync – online data transfer service for automated transfer between on-premises and AWS storage.
- AWS Data Transfer Terminal – secure physical location for transferring data to AWS.
- AWS Transfer Family – fully managed SFTP, FTPS, FTP, and AS2 service for file transfers to S3 or EFS.

Networking and Content Delivery

Amazon Virtual Private Cloud (VPC)

helps provision a logically isolated section of the AWS Cloud where AWS resources can be launched in a virtual network that you define.
provides complete control over the virtual networking environment, including selection of IP address range, creation of subnets (public and private), and configuration of route tables and network gateways.
allows use of both IPv4 and IPv6 for secure and easy access to resources.
allows multiple layers of security, including security groups and network access control lists (NACLs).
allows creation of VPN connections between corporate data center and VPC.
VPC Peering enables private connectivity between VPCs. Transit Gateway provides a hub for connecting multiple VPCs and on-premises networks.

Amazon CloudFront

is a global content delivery network (CDN) service that accelerates delivery of websites, APIs, video content, or other web assets.
can deliver entire website, including dynamic, static, streaming, and interactive content using a global network of edge locations.
requests for content are automatically routed to the nearest edge location for best possible performance.
is optimized to work with S3, EC2, ELB, Route 53, and API Gateway as well as non-AWS origin servers.
supports edge functions via CloudFront Functions and Lambda@Edge for customizing content at the edge.

Amazon Route 53

is a highly available and scalable Domain Name System (DNS) web service.
connects user requests to infrastructure running in AWS or outside of AWS.
helps configure DNS health checks to route traffic to healthy endpoints.
allows traffic management globally through latency-based routing, Geo DNS, geoproximity, weighted round robin, multivalue answer, and IP-based routing – all combinable with DNS Failover.
is fully compliant with IPv6 and offers Domain Name Registration service.

AWS Direct Connect

makes it easy to establish a dedicated network connection from on-premises to AWS.
helps establish private connectivity between AWS and data center, office, or co-location environment.
helps increase bandwidth throughput, reduce network costs, and provide a more consistent network experience than Internet-based connections.

Elastic Load Balancing (ELB)

automatically distributes incoming application traffic across multiple targets (EC2 instances, containers, IP addresses, Lambda functions).
enables greater levels of fault tolerance by seamlessly providing the required amount of load balancing capacity.
offers four types of load balancers:
- Application Load Balancer (ALB) – operates at Layer 7 (HTTP/HTTPS). Routes traffic based on content of the request. Ideal for microservices, container-based architectures, and advanced routing needs.
- Network Load Balancer (NLB) – operates at Layer 4 (TCP/UDP/TLS). Handles millions of requests per second with ultra-low latency. Ideal for TCP/UDP traffic and extreme performance requirements.
- Gateway Load Balancer (GWLB) – operates at Layer 3 (IP). Makes it easy to deploy, scale, and manage third-party virtual appliances (firewalls, IDS/IPS). Combines transparent network gateway with load balancing.
- Classic Load Balancer (CLB) – previous generation, operates at both Layer 4 and Layer 7. Recommended to migrate to ALB or NLB.

AWS Global Accelerator

is a networking service that improves the availability and performance of applications by using the AWS global network.
provides two static anycast IP addresses that serve as a fixed entry point to applications hosted in one or more AWS Regions.
continuously monitors endpoints and instantly routes traffic to the closest healthy endpoint.

AWS PrivateLink

provides private connectivity between VPCs, AWS services, and on-premises applications without exposing traffic to the public internet.
simplifies security of data shared between cloud-based applications and on-premises services.

Management and Governance

Amazon CloudWatch

is a monitoring and observability service for AWS Cloud resources and the applications running on AWS.
can collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes in AWS resources.
provides CloudWatch Logs, Metrics, Alarms, Dashboards, and Events (now EventBridge) for comprehensive monitoring.
supports custom metrics, anomaly detection, and cross-account observability.

AWS CloudFormation

allows developers and systems administrators to implement “Infrastructure as Code”
provides an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion.
handles the order for provisioning AWS services and the subtleties of making those dependencies work.
allows applying version control to AWS infrastructure the same way it’s done with software.
AWS CDK (Cloud Development Kit) allows defining infrastructure using familiar programming languages (TypeScript, Python, Java, etc.) that synthesize to CloudFormation templates.

AWS CloudTrail

records AWS API calls for the account and delivers log files.
includes API calls made via the Console, CLI, SDKs, and higher-level AWS services.
recorded information includes the identity of the API caller, time, source IP address, request parameters, and response elements.
enables security analysis, resource change tracking, compliance auditing, and operational troubleshooting.
supports CloudTrail Lake for SQL-based querying and long-term retention of events.

AWS Config

provides an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance.
provides Config Rules feature that enables creation of rules to automatically check the configuration of AWS resources.
helps discover existing and deleted AWS resources, determine overall compliance against rules, and dive into configuration details at any point in time.
supports Conformance Packs for packaging multiple Config Rules and remediation actions together.

AWS Systems Manager

provides a unified user interface to view operational data from multiple AWS services and automate operational tasks across AWS resources.
includes capabilities for patch management, configuration management, session management, parameter store, and run command.
helps maintain security and compliance by scanning managed instances for patch compliance and configuration inconsistencies.

AWS Service Catalog

allows organizations to create and manage catalogs of IT services approved for use on AWS.
helps centrally manage commonly deployed IT services and helps achieve consistent governance and compliance requirements.

AWS Trusted Advisor

is an online resource that inspects your AWS environment and provides recommendations across five categories: cost optimization, performance, security, fault tolerance, and service limits.
provides real-time guidance to help provision resources following AWS best practices.

AWS Health Dashboard

provides alerts and remediation guidance when AWS is experiencing events that might affect you (formerly Personal Health Dashboard).
displays relevant information to help manage events in progress and provides proactive notification for scheduled activities.
provides a personalized view into the performance and availability of AWS services underlying your resources.

AWS Control Tower

provides the easiest way to set up and govern a secure, multi-account AWS environment (landing zone).
establishes a well-architected multi-account baseline with guardrails (preventive and detective) for governance.
automates account provisioning and applies best practices for identity management, federated access, and logging.

Developer Tools

AWS CodeCommit

is a fully managed source control service that hosts secure and highly scalable private Git repositories.
⚠️ Note: CodeCommit is no longer available to new customers (July 2024). Existing customers can continue using it. Consider GitHub, GitLab, or Bitbucket as alternatives.

AWS CodeBuild

is a fully managed build service that compiles source code, runs tests, and produces software packages that are ready to deploy.
scales continuously and processes multiple builds concurrently.

AWS CodeDeploy

is a service that automates code deployments to any instance, including EC2 instances, Lambda functions, ECS services, and on-premises servers.
helps rapidly release new features, avoid downtime during deployment, and handles the complexity of updating applications.

AWS CodePipeline

is a continuous integration and continuous delivery (CI/CD) service for fast and reliable application and infrastructure updates.
builds, tests, and deploys code every time there is a code change, based on defined release process models.

AWS X-Ray

helps developers analyze and debug distributed applications in production, such as those built using microservices architectures.
provides an end-to-end view of requests as they travel through the application, and shows a map of its underlying components.
helps identify and troubleshoot the root cause of performance issues and errors.

Amazon Q Developer

is a generative AI-powered assistant for software development (formerly Amazon CodeWhisperer).
provides AI-powered code suggestions, security scanning, code transformation, and natural language chat for development tasks.
supports multiple IDEs and programming languages.

Messaging and Application Integration

Amazon SQS

is a fast, reliable, scalable, fully managed message queuing service.
makes it simple and cost-effective to decouple the components of a cloud application.
includes Standard queues with high throughput and at-least-once processing, and FIFO queues with exactly-once processing and ordered delivery.

Amazon SNS

is a fast, flexible, fully managed pub/sub messaging and mobile notification service.
can send notifications to Apple, Google, Windows, and other mobile platforms, email, SMS, HTTP endpoints, SQS queues, and Lambda functions.
supports message filtering, FIFO topics, and message archiving.

Amazon SES

is a cost-effective, scalable email service for sending transactional email, marketing messages, or any other type of high-quality content.
can also receive messages and deliver them to S3, trigger Lambda functions, or publish to SNS.

Amazon EventBridge

is a serverless event bus that makes it easy to connect applications using data from your own apps, SaaS apps, and AWS services.
delivers a stream of real-time data from event sources and routes that data to targets like Lambda, Step Functions, SQS, and more.
replaces CloudWatch Events with additional capabilities including schema registry and third-party integrations.

AWS Step Functions

makes it easy to coordinate the components of distributed applications and microservices using visual workflows.
automatically triggers and tracks each step, and retries when there are errors.
supports Standard Workflows (long-running) and Express Workflows (high-volume, short-duration).

Amazon API Gateway

is a fully managed service for creating, publishing, maintaining, monitoring, and securing APIs at any scale.
handles traffic management, authorization, access control, monitoring, and API version management.
supports REST APIs, HTTP APIs, and WebSocket APIs.

Analytics

Amazon Athena

is an interactive query service that helps analyze data in S3 using standard SQL.
is serverless – no infrastructure to manage, pay only for queries run.
supports querying data in multiple formats including CSV, JSON, ORC, Avro, and Parquet.
integrates with AWS Glue Data Catalog for schema management.

Amazon EMR

provides a managed big data platform that makes it easy, fast, and cost-effective to process vast amounts of data.
supports Apache Spark, Hive, HBase, Presto, Flink, and other popular frameworks.
can run on EC2, EKS, or serverlessly with EMR Serverless.
handles big data use cases including log analysis, ETL, machine learning, and scientific simulation.

Amazon OpenSearch Service

makes it easy to deploy, operate, and scale OpenSearch (and legacy Elasticsearch) for log analytics, full-text search, application monitoring, and more.
Note: Renamed from Amazon Elasticsearch Service in September 2021.
is a fully managed service delivering real-time search and analytics capabilities along with availability, scalability, and security for production workloads.
supports OpenSearch Dashboards (successor to Kibana) for data visualization.

Amazon Kinesis

is a platform for streaming data on AWS, offering services to collect, process, and analyze real-time streaming data.
offers:
- Amazon Kinesis Data Streams – enables building custom applications that process or analyze streaming data for specialized needs.
- Amazon Data Firehose (formerly Kinesis Data Firehose) – easiest way to capture, transform, and load streaming data into S3, Redshift, OpenSearch, and third-party services like Splunk and Snowflake.
- Amazon Managed Service for Apache Flink (formerly Kinesis Data Analytics) – process and analyze streaming data in real time using Apache Flink.
- Amazon Kinesis Video Streams – capture, process, and store video streams for analytics and machine learning.

Amazon Redshift

provides a fast, fully managed, petabyte-scale cloud data warehouse.
uses massively parallel processing (MPP) architecture, parallelizing and distributing SQL operations across nodes.
supports Redshift Serverless for running analytics without managing infrastructure.
provides Redshift Spectrum to query data directly in S3 without loading it.

Amazon QuickSight

is a fast, cloud-powered business intelligence (BI) service for building visualizations, performing ad-hoc analysis, and getting business insights from data.
supports ML-powered insights with Amazon Q in QuickSight for natural language querying.

AWS Glue

is a serverless data integration service that makes it easy to discover, prepare, move, and integrate data from multiple sources.
provides the Glue Data Catalog as a central metadata repository.
simplifies and automates data discovery, ETL job authoring, and job scheduling.
scales automatically and provisions resources as needed.

AWS Lake Formation

makes it easy to set up a secure data lake in days instead of months.
provides centralized governance and security for data lake access using fine-grained permissions.

Machine Learning and Artificial Intelligence

Amazon Bedrock

is a fully managed service offering access to leading foundation models (FMs) from AI companies (Anthropic, Meta, Mistral, Amazon, and others) through a single API.
provides capabilities to build generative AI applications with security, privacy, and responsible AI features.
supports use cases like text generation, summarization, image generation, chatbots, and AI agents.
offers Bedrock Agents for building autonomous AI agents and Bedrock Knowledge Bases for RAG (Retrieval Augmented Generation).

Amazon SageMaker

is a fully managed machine learning service to build, train, and deploy ML models at scale.
provides SageMaker Studio as a unified IDE for ML development.
supports the entire ML workflow: data preparation, model building, training, tuning, and deployment.
includes built-in algorithms, pre-built ML frameworks, and AutoML capabilities.

Amazon Rekognition

makes it easy to add image and video analysis to applications using deep learning technology.
can identify objects, people, text, scenes, and activities, and detect inappropriate content.

Amazon Comprehend

is a natural language processing (NLP) service that uses machine learning to find insights and relationships in text.
can identify the language, extract key phrases, sentiment, entities, and topics.

Amazon Lex

is a service for building conversational interfaces using voice and text (same technology that powers Alexa).
provides automatic speech recognition (ASR) and natural language understanding (NLU).

Amazon Polly

is a text-to-speech service that turns text into lifelike speech using deep learning.
supports multiple languages and provides a variety of natural-sounding voices.

Amazon Transcribe

is an automatic speech recognition (ASR) service that converts speech to text.
supports real-time transcription and batch transcription of audio files.

Amazon Translate

is a neural machine translation service for fast, high-quality language translation.
supports translation between supported languages for applications and content.

Cloud Financial Management

AWS Cost Explorer

provides an easy-to-use interface to visualize, understand, and manage AWS costs and usage over time.
offers forecasting, savings recommendations, and detailed filtering/grouping of cost data.

AWS Budgets

allows setting custom budgets that alert when costs or usage exceed (or are forecasted to exceed) the budgeted amount.
supports cost, usage, reservation, and savings plans budgets.

AWS Pricing Calculator

helps estimate the cost of using AWS services before deployment.
allows creating cost estimates for various architectures and configurations.

Deprecated Services (Historical Reference)

The following services mentioned in the original AWS Overview Whitepaper have been deprecated or discontinued. They are listed here for reference and certification context.

Amazon Cloud Directory – No longer open to new customers (November 2025). Alternatives: DynamoDB, Neptune.
AWS OpsWorks – Reached End of Life on May 26, 2024. Disabled for all customers. Alternatives: AWS Systems Manager, CloudFormation, CodeDeploy.
Amazon Elastic Transcoder – Discontinued November 13, 2025. Replaced by AWS Elemental MediaConvert.
AWS Server Migration Service (SMS) – Deprecated. Replaced by AWS Application Migration Service (MGN / Transform MGN).
AWS Data Pipeline – No longer available to new customers (July 2024). Alternatives: AWS Glue, Step Functions, Amazon MWAA (Managed Workflows for Apache Airflow).
Amazon SWF (Simple Workflow Service) – Still operational but superseded by AWS Step Functions for new workloads.
AWS Snowmobile – Retired March 2024. No longer available.
Amazon CodeCatalyst – No longer open to new customers (November 2025).

AWS Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

Which AWS services belong to the Compute services? Choose 2 answers
1. Lambda
2. EC2
3. S3
4. EMR
5. CloudFront
Which AWS service provides low cost storage option for archival and long-term backup?
1. S3 Glacier
2. S3 Standard
3. EBS
4. CloudFront
Which AWS services belong to the Storage services? Choose 2 answers
1. EFS
2. IAM
3. EMR
4. S3
5. CloudFront
A Company allows users to upload videos on its platform. They want to convert the videos to multiple formats supported on multiple devices and platforms. Which AWS service can they leverage for the requirement?
1. AWS SWF
2. AWS Video Converter
3. AWS Elemental MediaConvert
4. AWS Data Pipeline
Which analytic service helps analyze data in S3 using standard SQL?
1. Athena
2. EMR
3. OpenSearch
4. Kinesis
What features does AWS’s Route 53 service provide? Choose the 2 correct answers:
1. Content Caching
2. Domain Name System (DNS) service
3. Database Management
4. Domain Registration
You are trying to organize and import (to AWS) gigabytes of data that are currently structured in JSON-like, name-value documents. What AWS service would best fit your needs?
1. Lambda
2. DynamoDB
3. RDS
4. Aurora
What AWS database is primarily used to analyze data using standard SQL formatting with compatibility for your existing business intelligence tools? Choose the correct answer:
1. Redshift
2. RDS
3. DynamoDB
4. ElastiCache
A company wants their application to use pre-configured machine image with software installed and configured. Which AWS feature can help for the same?
1. Amazon Machine Image (AMI)
2. AWS CloudFormation
3. AWS Lambda
4. AWS Lightsail
What AWS service can be used to track API event calls for security analysis and resource change tracking?
1. AWS CloudWatch
2. AWS CloudFormation
3. AWS CloudTrail
4. AWS Systems Manager
Which AWS service can help offload the read traffic from your database in order to reduce latency caused by read-heavy workload?
1. ElastiCache
2. DynamoDB
3. S3
4. EFS
What service allows system administrators to run “Infrastructure as Code”?
1. CloudFormation
2. CloudWatch
3. CloudTrail
4. CodeDeploy
Which AWS service is a fully managed container orchestration service?
1. EC2
2. Amazon ECS
3. AWS Lambda
4. Amazon S3
A company wants to run containers without managing servers or clusters. Which AWS service should they use?
1. Amazon EC2
2. Amazon EKS on EC2
3. AWS Fargate
4. AWS Batch
Which AWS service provides a fully managed generative AI service with access to foundation models?
1. Amazon SageMaker
2. Amazon Bedrock
3. Amazon Comprehend
4. Amazon Rekognition
Which Elastic Load Balancer type operates at Layer 4 and is best suited for ultra-low latency TCP/UDP traffic?
1. Application Load Balancer
2. Network Load Balancer
3. Gateway Load Balancer
4. Classic Load Balancer
Which AWS service provides centralized threat detection by continuously monitoring AWS accounts and workloads for malicious activity?
1. AWS WAF
2. Amazon Inspector
3. Amazon GuardDuty
4. AWS Shield
A company wants to save costs on EC2 by committing to a consistent usage amount ($/hour) for 1-3 years with flexibility across instance families, regions, and services. What should they use?
1. Reserved Instances
2. Spot Instances
3. Compute Savings Plans
4. Dedicated Hosts

References

Architecting for the Cloud – AWS Best Practices – Whitepaper – Certification

December 30, 2017 ~ Last updated on : June 23, 2026 ~ jayendrapatil ~ 5 Comments

Architecting for the Cloud – AWS Best Practices

📋 Important Note: Whitepaper Superseded

The original “Architecting for the Cloud: AWS Best Practices” whitepaper (last updated October 2018) has been superseded by the AWS Well-Architected Framework.

The Well-Architected Framework is now organized into six pillars: Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability (added in 2021). It receives continuous updates — most recently in November 2024 and April 2025.

This post is maintained for certification study purposes as the core architectural principles remain relevant.

Architecting for the Cloud – AWS Best Practices whitepaper provides architectural patterns and advice on how to design systems that are secure, reliable, high performing, and cost efficient

AWS Design Principles

Scalability

While AWS provides virtually unlimited on-demand capacity, the architecture should be designed to take advantage of those resources
There are two ways to scale an IT architecture
- Vertical Scaling
  - takes place through increasing specifications of an individual resource for e.g. updating EC2 instance type with increasing RAM, CPU, IOPS, or networking capabilities
  - will eventually hit a limit, and is not always a cost effective or highly available approach
  - AWS Graviton-based instances (Graviton4 as of 2024) offer up to 40% better price-performance, making vertical scaling more cost-effective
- Horizontal Scaling
  - takes place through increasing number of resources for e.g. adding more EC2 instances or EBS volumes
  - can help leverage the elasticity of cloud computing
  - not all the architectures can be designed to distribute their workload to multiple resources
  - applications designed should be stateless,
    - that needs no knowledge of previous interactions and stores no session information
    - capacity can be increased and decreased, after running tasks have been drained
  - State, if needed, can be implemented using
    - Low latency external store, for e.g. DynamoDB, ElastiCache (Redis or Memcached), to maintain state information
    - Session affinity, for e.g. ELB sticky sessions, to bind all the transactions of a session to a specific compute resource. However, it cannot be guaranteed or take advantage of newly added resources for existing sessions
  - Load can be distributed across multiple resources using
    - Push model, for e.g. through ELB where it distributes the load across multiple EC2 instances
    - Pull model, for e.g. through SQS or Kinesis where multiple consumers subscribe and consume
  - Distributed processing, for e.g. using EMR or Kinesis, helps process large amounts of data by dividing task and its data into many small fragments of works

Disposable Resources Instead of Fixed Servers

Resources need to be treated as temporary disposable resources rather than fixed permanent on-premises resources before
AWS focuses on the concept of Immutable infrastructure
- servers once launched, is never updated throughout its lifetime.
- updates can be performed on a new server with latest configurations,
- this ensures resources are always in a consistent (and tested) state and easier rollbacks
AWS provides multiple ways to instantiate compute resources in an automated and repeatable way
- Bootstrapping
  - scripts to configure and setup for e.g. using EC2 user data scripts and cloud-init to install software or copy resources and code
- Golden Images
  - a snapshot of a particular state of that resource,
  - faster start times and removes dependencies to configuration services or third-party repositories
  - EC2 Image Builder can automate creation, testing, and distribution of golden AMIs
- Containers
  - AWS supports container workloads through Amazon ECS, Amazon EKS, and AWS Fargate (serverless containers)
  - Docker allows packaging a piece of software in a Docker Image, which is a standardized unit for software development, containing everything the software needs to run: code, runtime, system tools, system libraries, etc
  - AWS Fargate provides serverless compute for containers, eliminating the need to manage underlying EC2 instances
Infrastructure as Code
- AWS assets are programmable, techniques, practices, and tools from software development can be applied to make the whole infrastructure reusable, maintainable, extensible, and testable.
- AWS provides services for IaC deployment:
  - AWS CloudFormation – declarative JSON/YAML templates for provisioning AWS resources
  - AWS CDK (Cloud Development Kit) – define infrastructure using familiar programming languages (TypeScript, Python, Java, Go, C#) that synthesize to CloudFormation
  - AWS SAM (Serverless Application Model) – simplified CloudFormation for serverless applications
- Note: AWS OpsWorks reached End of Life on May 26, 2024 and is no longer available. Use AWS Systems Manager, CloudFormation, or CDK as alternatives.

Automation

AWS provides various automation tools and services which help improve system’s stability, efficiency and time to market.
- Elastic Beanstalk
  - a PaaS that allows quick application deployment while handling resource provisioning, load balancing, auto scaling, monitoring etc
- EC2 Auto Recovery
  - creates CloudWatch alarm that monitors an EC2 instance and automatically recovers it if it becomes impaired.
  - A recovered instance is identical to the original instance, including the instance ID, private & Elastic IP addresses, and all instance metadata.
  - Instance is migrated through reboot, in memory contents are lost.
- Auto Scaling
  - allows maintain application availability and scale the capacity up or down automatically as per defined conditions
  - supports predictive scaling that uses machine learning to forecast traffic and proactively scale capacity
- CloudWatch Alarms
  - allows SNS triggers to be configured when a particular metric goes beyond a specified threshold for a specified number of periods
- Amazon EventBridge (formerly CloudWatch Events)
  - allows real-time stream of system events that describe changes in AWS resources
  - extends capabilities with partner event sources, Schema Registry, and EventBridge Pipes for point-to-point integrations
  - EventBridge Scheduler supports one-time and recurring schedules with built-in retry policies
- AWS Systems Manager
  - provides operational management for AWS resources including patch management, configuration compliance, and automated runbooks
  - replaces the need for OpsWorks with features like State Manager, Automation, and Run Command
- Lambda Scheduled Events
  - allows Lambda function creation and direct AWS Lambda to execute it on a regular schedule via EventBridge Scheduler.

Loose Coupling

AWS helps loose coupled architecture that reduces interdependencies, a change or failure in a component does not cascade to other components
- Asynchronous Integration
  - does not involve direct point-to-point interaction but usually through an intermediate durable storage layer for e.g. SQS, Kinesis, EventBridge
  - decouples the components and introduces additional resiliency
  - suitable for any interaction that doesn’t need an immediate response and an ack that a request has been registered will suffice
- Service Discovery
  - allows new resources to be launched or terminated at any point in time and discovered as well for e.g. using ELB as a single point of contact with hiding the underlying instance details or Route 53 zones to abstract load balancer’s endpoint
  - AWS Cloud Map provides service discovery for cloud resources, allowing applications to discover services via API calls, DNS queries, or directly through the SDK
- Well-Defined Interfaces
  - allows various components to interact with each other through specific, technology agnostic interfaces for e.g. RESTful APIs with API Gateway
  - Amazon API Gateway supports REST APIs, HTTP APIs, and WebSocket APIs for real-time communication

Services, Not Servers

AWS encourages leveraging managed services and serverless architectures to reduce operational overhead
- Serverless compute – AWS Lambda for event-driven functions, AWS Fargate for serverless containers
- Managed databases – Amazon RDS, DynamoDB, Aurora Serverless for auto-scaling relational databases
- Application integration – SQS, SNS, EventBridge, Step Functions for workflow orchestration
- API management – API Gateway for creating, publishing, and managing APIs at scale

Databases

AWS provides different categories of database technologies
- Relational Databases (RDS)
  - normalizes data into well-defined tabular structures known as tables, which consist of rows and columns
  - provide a powerful query language, flexible indexing capabilities, strong integrity controls, and the ability to combine data from multiple tables in a fast and efficient manner
  - allows vertical scalability by increasing resources and horizontal scalability using Read Replicas for read capacity and sharding or data partitioning for write capacity
  - provides High Availability using Multi-AZ deployment, where data is synchronously replicated
  - Amazon Aurora provides MySQL and PostgreSQL-compatible databases with up to 5x and 3x better throughput respectively, with automatic storage scaling up to 128 TB
  - Aurora Serverless v2 scales capacity automatically based on application demand, ideal for variable workloads
- NoSQL Databases (DynamoDB)
  - provides databases that trade some of the query and transaction capabilities of relational databases for a more flexible data model that seamlessly scales horizontally
  - perform data partitioning and replication to scale both the reads and writes in a horizontal fashion
  - DynamoDB service synchronously replicates data across three facilities in an AWS region to provide fault tolerance in the event of a server failure or Availability Zone disruption
  - DynamoDB Global Tables provide multi-region, active-active replication for globally distributed applications
  - DynamoDB On-Demand mode eliminates capacity planning by automatically scaling to accommodate workloads
- Data Warehouse (Redshift)
  - Specialized type of relational database, optimized for analysis and reporting of large amounts of data
  - Redshift achieves efficient storage and optimum query performance through a combination of massively parallel processing (MPP), columnar data storage, and targeted data compression encoding schemes
  - Redshift MPP architecture enables increasing performance by increasing the number of nodes in the data warehouse cluster
  - Redshift Serverless automatically provisions and scales capacity, allowing analytics without cluster management
- Purpose-Built Databases
  - Amazon ElastiCache – in-memory caching (Redis, Memcached) for sub-millisecond latency
  - Amazon Neptune – graph database for highly connected datasets
  - Amazon Timestream – time series database for IoT and operational applications
  - Amazon MemoryDB for Redis – Redis-compatible, durable, in-memory database
For more details refer to AWS Storage Options Whitepaper

Removing Single Points of Failure

AWS provides ways to implement redundancy, automate recovery and reduce disruption at every layer of the architecture
AWS supports redundancy in the following ways
- Standby Redundancy
  - When a resource fails, functionality is recovered on a secondary resource using a process called failover.
  - Failover will typically require some time before it completes, and during that period the resource remains unavailable.
  - Secondary resource can either be launched automatically only when needed (to reduce cost), or it can be already running idle (to accelerate failover and minimize disruption).
  - Standby redundancy is often used for stateful components such as relational databases.
- Active Redundancy
  - requests are distributed to multiple redundant compute resources, if one fails, the rest can simply absorb a larger share of the workload.
  - Compared to standby redundancy, it can achieve better utilization and affect a smaller population when there is a failure.
AWS supports replication
- Synchronous replication
  - acknowledges a transaction after it has been durably stored in both the primary location and its replicas.
  - protects data integrity from the event of a primary node failure
  - used to scale read capacity for queries that require the most up-to-date data (strong consistency).
  - compromises performance and availability
- Asynchronous replication
  - decouples the primary node from its replicas at the expense of introducing replication lag
  - used to horizontally scale the system’s read capacity for queries that can tolerate that replication lag.
- Quorum-based replication
  - combines synchronous and asynchronous replication to overcome the challenges of large-scale distributed database systems
  - Replication to multiple nodes can be managed by defining a minimum number of nodes that must participate in a successful write operation
AWS provide services to reduce or remove single point of failure
- Regions, Availability Zones with multiple data centers
- ELB or Route 53 to configure health checks and mask failure by routing traffic to healthy endpoints
- Auto Scaling to automatically replace unhealthy nodes
- EC2 auto-recovery to recover unhealthy impaired nodes
- S3, DynamoDB with data redundantly stored across multiple facilities
- Multi-AZ RDS, Aurora (6 copies across 3 AZs), and Read Replicas
- ElastiCache Redis engine supports replication with automatic failover
- AWS Elastic Disaster Recovery (DRS) for continuous replication and automated recovery of on-premises and cloud-based applications
For more details refer to AWS Disaster Recovery Whitepaper

Optimize for Cost

AWS can help organizations reduce capital expenses and drive savings as a result of the AWS economies of scale
AWS provides different options which should be utilized as per use case –
- EC2 pricing models:
  - On-Demand – pay per second/hour with no commitment
  - Savings Plans – commit to a consistent amount of usage (measured in $/hr) for 1 or 3 years; Compute Savings Plans (up to 66% savings) and EC2 Instance Savings Plans (up to 72% savings)
  - Reserved Instances – capacity reservation with up to 72% discount for 1 or 3 year terms
  - Spot Instances – up to 90% discount for fault-tolerant, flexible workloads using spare capacity
  - Dedicated Hosts – single-tenant hardware for compliance and BYOL licensing
- AWS Graviton instances for up to 40% better price-performance over comparable x86 instances
- AWS Cost Optimization Hub, Trusted Advisor, and AWS Compute Optimizer to identify cost savings opportunities
- S3 storage classes:
  - S3 Standard – frequently accessed data
  - S3 Intelligent-Tiering – automatic cost optimization for data with unknown or changing access patterns
  - S3 Standard-Infrequent Access (S3 Standard-IA) – infrequently accessed data
  - S3 One Zone-IA – infrequently accessed data not requiring multi-AZ resilience
  - S3 Glacier Instant Retrieval, Flexible Retrieval, and Deep Archive – long-term archive storage
  - S3 Express One Zone – single-digit millisecond latency for most frequently accessed data (up to 10x faster than S3 Standard)
- EBS volumes – General Purpose SSD (gp3), Provisioned IOPS SSD (io2 Block Express), Throughput Optimized HDD (st1), Cold HDD (sc1). Note: Magnetic (standard) is a previous-generation volume type; gp3 is recommended as default.
- Cost Allocation tags to identify costs based on tags
- Auto Scaling to horizontally scale the capacity up or down based on demand
- Lambda and Fargate based serverless architectures to never pay for idle or redundant resources
- Utilize managed services where scaling is handled by AWS for e.g. ELB, CloudFront, Kinesis, SQS, Amazon OpenSearch Service etc.

Caching

Caching improves application performance and increases the cost efficiency of an implementation
- Application Data Caching
  - provides services that help store and retrieve information from fast, managed, in-memory caches
  - Amazon ElastiCache is a web service that makes it easy to deploy, operate, and scale an in-memory cache in the cloud and supports two open-source in-memory caching engines: Memcached and Redis
  - Amazon DynamoDB Accelerator (DAX) provides a fully managed, in-memory cache for DynamoDB with microsecond response times
- Edge Caching
  - allows content to be served by infrastructure that is closer to viewers, lowering latency and giving high, sustained data transfer rates needed to deliver large popular objects to end users at scale.
  - Amazon CloudFront is Content Delivery Network (CDN) consisting of 600+ Points of Presence (edge locations and regional caches), that allows copies of static and dynamic content to be cached
  - CloudFront Functions and Lambda@Edge enable running code at edge locations for request/response manipulation

Security

AWS works on shared security responsibility model
- AWS is responsible for the security of the underlying cloud infrastructure
- you are responsible for securing the workloads you deploy in AWS
AWS also provides ample security features
- IAM to define a granular set of policies and assign them to users, groups, and AWS resources
- IAM roles to assign short term credentials to resources, which are automatically distributed and rotated
- AWS IAM Identity Center (formerly AWS SSO) for centralized workforce identity management and single sign-on across AWS accounts and applications
- Amazon Cognito, for mobile and web applications, which allows client devices to get controlled access to AWS resources via temporary tokens
- VPC to isolate parts of infrastructure through the use of subnets, security groups, and routing controls
- AWS WAF to help protect web applications from SQL injection, cross-site scripting, and other common exploits with managed rule groups
- CloudWatch logs to collect logs centrally as the servers are temporary
- CloudTrail for auditing AWS API calls, which delivers a log file to S3 bucket. Logs can then be stored in an immutable manner and automatically processed to either notify or even take action on your behalf, protecting your organization from non-compliance
- AWS Security Hub – unified security posture management that aggregates findings from GuardDuty, Inspector, Macie, and partner tools with automated compliance checks
- Amazon GuardDuty – intelligent threat detection using machine learning, anomaly detection, and integrated threat intelligence to identify malicious activity
- Amazon Inspector – automated vulnerability management that continuously scans EC2 instances, container images (ECR), Lambda functions, and code repositories for software vulnerabilities
- AWS Config for continuous compliance monitoring, and AWS Trusted Advisor for best practice recommendations across cost, performance, security, fault tolerance, and service limits
For more details refer to AWS Security Whitepaper

AWS Well-Architected Framework

The AWS Well-Architected Framework is the successor to this whitepaper and provides comprehensive guidance for building secure, high-performing, resilient, and efficient infrastructure
The Framework is built on six pillars:
- Operational Excellence – running and monitoring systems to deliver business value and continually improve processes and procedures
- Security – protecting information and systems through risk assessments, mitigation strategies, and security best practices
- Reliability – ensuring workloads perform correctly and consistently, with ability to recover from failures and meet demand
- Performance Efficiency – using computing resources efficiently to meet requirements and maintain efficiency as demand changes
- Cost Optimization – avoiding unnecessary costs through understanding spending, selecting the right resources, and scaling to meet needs without overspending
- Sustainability (added 2021) – minimizing environmental impacts by reducing energy consumption and increasing efficiency of cloud workloads
The AWS Well-Architected Tool in the AWS Management Console allows workload reviews against framework best practices
AWS also provides Well-Architected Lenses for specific workload types (Serverless, SaaS, Machine Learning, Data Analytics, IoT, etc.)

References

AWS Well-Architected Framework (current guidance, replaces the original whitepaper)
Architecting for the Cloud: AWS Best Practices – Whitepaper (archived, October 2018)
AWS Well-Architected Homepage

AWS High Availability & Fault Tolerance Architecture

January 7, 2017 ~ Last updated on : June 25, 2026 ~ jayendrapatil ~ 40 Comments

AWS High Availability & Fault Tolerance Architecture

📅 Content Update – June 2025

This post has been updated to reflect modern AWS HA/FT services and best practices including AWS Resilience Hub, Application Recovery Controller (ARC), Fault Injection Service (FIS), Multi-AZ DB Clusters, DynamoDB Global Tables with Multi-Region Strong Consistency (MRSC), and current ELB types (ALB/NLB/GWLB).

Amazon Web Services provides services and infrastructure to build reliable, fault-tolerant, and highly available systems in the cloud.
Fault-tolerance defines the ability for a system to remain in operation even if some of the components used to build the system fail.
Most of the higher-level services, such as S3, DynamoDB, SQS, and ELB, have been built with fault tolerance and high availability in mind.
Services that provide basic infrastructure, such as EC2 and EBS, provide specific features, such as availability zones, elastic IP addresses, and snapshots, that a fault-tolerant and highly available system must take advantage of and use correctly.

AWS High Availability and Fault Tolerance

NOTE: Topic mainly for Professional Exam Only

Regions & Availability Zones

Amazon Web Services are available in geographic Regions and with multiple Availability Zones (AZs) within a region, which provide easy access to redundant deployment locations.
AZs are distinct geographical locations that are engineered to be insulated from failures in other AZs.
Regions and AZs help achieve greater fault tolerance by distributing the application geographically and help build multi-site solutions.
AZs provide inexpensive, low latency network connectivity to other Availability Zones in the same Region. All traffic between AZs is encrypted.
By placing EC2 instances in multiple AZs, an application can be protected from failure at a single data center.
It is important to run independent application stacks in more than one AZ, either in the same region or in another region, so that if one zone fails, the application in the other zone can continue to run.
AWS recommends deploying production workloads across at least 3 AZs for optimal fault isolation and static stability.

Amazon Machine Image – AMIs

EC2 is a web service within Amazon Web Services that provides computing resources.
Amazon Machine Image (AMI) provides a Template that can be used to define the service instances.
Template basically contains a software configuration (i.e., OS, application server, and applications) and is applied to an instance type.
AMI can either contain all the softwares, applications and the code bundled or can be configured to have a bootstrap script (user data) to install the same on startup.
A single AMI can be used to create server resources of different instance types and start creating new instances or replacing failed instances.
EC2 Image Builder can automate the creation, testing, and distribution of AMIs across regions, enabling faster recovery through pre-built golden images.

Auto Scaling

Auto Scaling helps to automatically scale EC2 capacity up or down based on defined rules.
Auto Scaling also enables addition of more instances in response to an increasing load; and when those instances are no longer needed, they will be automatically terminated.
Auto Scaling enables terminating server instances at will, knowing that replacement instances will be automatically launched.
Auto Scaling can work across multiple AZs within an AWS Region.
Predictive Scaling uses machine learning to proactively scale out ASGs ahead of anticipated demand spikes, improving availability and reducing the need for over-provisioning.
Target Tracking Scaling policies provide a simplified way to configure dynamic scaling based on a specific metric target (e.g., average CPU utilization at 50%).
Auto Scaling groups support warm pools to pre-initialize instances for faster scaling, reducing cold-start times during demand surges.
Amazon Application Recovery Controller (ARC) supports zonal autoshift with EC2 Auto Scaling, automatically shifting traffic away from impaired AZs.

Elastic Load Balancing – ELB

Elastic Load Balancing is an effective way to increase the availability of a system and distributes incoming traffic to applications across several EC2 instances.
ELB supports health checks on hosts, distribution of traffic to EC2 instances across multiple availability zones, and dynamic addition and removal of EC2 hosts from the load-balancing rotation.
Elastic Load Balancing detects unhealthy instances within its pool and automatically reroutes traffic to healthy instances, until the unhealthy instances have been restored seamlessly using Auto Scaling.
Auto Scaling and Elastic Load Balancing are an ideal combination – while ELB gives a single DNS name for addressing, Auto Scaling ensures there is always the right number of healthy EC2 instances to accept requests.
ELB can be used to balance across instances in multiple AZs of a region.

ELB Types

Application Load Balancer (ALB) – Layer 7 (HTTP/HTTPS); supports path-based routing, host-based routing, mutual TLS authentication (2023), one-click AWS WAF integration, URL and host header rewrites (2025), Automatic Target Weights, and LCU Capacity Reservation for handling sharp traffic spikes.
Network Load Balancer (NLB) – Layer 4 (TCP/UDP/TLS); ultra-low latency, static IPs per AZ, weighted target groups for blue/green deployments, and subnet removal/addition capability (2025).
Gateway Load Balancer (GWLB) – Layer 3 gateway + Layer 4 load balancer; used to deploy, scale, and manage third-party virtual network appliances (firewalls, IDS/IPS).
Classic Load Balancer (CLB) – Previous generation; deprecated for new workloads. AWS recommends migrating to ALB or NLB. CLBs in EC2-Classic were retired in August 2022.

Elastic IPs – EIPs

Elastic IP addresses are public static IP addresses that can be mapped programmatically between instances within a region.
EIPs are associated with the AWS account and not with a specific instance or lifetime of an instance.
Elastic IP addresses can be used for instances and services that require consistent endpoints, such as master databases, central file servers, and EC2-hosted load balancers.
Elastic IP addresses can be used to work around host or availability zone failures by quickly remapping the address to another running instance or a replacement instance that was just started.

Reserved Instances & Savings Plans

Reserved Instances help reserve and guarantee computing capacity is available at a lower cost always.
Savings Plans provide a more flexible pricing model with up to 72% savings in exchange for committing to a consistent amount of compute usage (measured in $/hour) over a 1 or 3-year term.
On-Demand Capacity Reservations (ODCRs) ensure EC2 capacity is available in a specific AZ when needed for HA without requiring a term commitment.

Elastic Block Store – EBS

Elastic Block Store (EBS) offers persistent off-instance storage volumes that persist independently from the life of an instance and are about an order of magnitude more durable than on-instance storage.
EBS volumes store data redundantly and are automatically replicated within a single availability zone.
EBS helps in failover scenarios where if an EC2 instance fails and needs to be replaced, the EBS volume can be attached to the new EC2 instance.
Valuable data should never be stored only on instance (ephemeral) storage without proper backups, replication, or the ability to re-create the data.
EBS Multi-Attach (for io1/io2 volumes) allows a single volume to be attached to up to 16 Nitro-based instances within the same AZ for shared storage HA scenarios.

EBS Snapshots

EBS volumes are highly reliable, but to further mitigate the possibility of a failure and increase durability, point-in-time Snapshots can be created to store data on volumes in S3, which is then replicated to multiple AZs.
Snapshots can be used to create new EBS volumes, which are an exact replica of the original volume at the time the snapshot was taken.
Snapshots provide an effective way to deal with disk failures or other host-level issues, as well as with problems affecting an AZ.
Snapshots are incremental and back up only changes since the previous snapshot, so it is advisable to hold on to recent snapshots.
Snapshots are tied to the region, while EBS volumes are tied to a single AZ.
EBS Snapshots Archive provides up to 75% lower storage costs for snapshots stored 90+ days and rarely accessed.
Fast Snapshot Restore (FSR) eliminates the need for initializing volumes from snapshots, enabling full-performance volumes immediately upon creation for faster failover.

Relational Database Service – RDS

RDS makes it easy to run relational databases in the cloud.
RDS Multi-AZ instance deployments provision a synchronous standby replica in a different AZ, providing high availability and automatic failover protection.
In case of a failover scenario, the standby is promoted to be the primary seamlessly and will handle the database operations.
RDS Multi-AZ DB Cluster deployments (for MySQL and PostgreSQL) provide a primary instance and two readable standby instances across 3 AZs. This offers improved write latency, faster failover (typically under 35 seconds), and the standby instances can serve read traffic.
Automated backups, enabled by default, provide point-in-time recovery for the database instance.
RDS will back up your database and transaction logs and store both for a user-specified retention period.
In addition to the automated backups, manual RDS backups can also be performed which are retained until explicitly deleted.
Backups help recover from higher-level faults such as unintentional data modification, either by operator error or by bugs in the application.
RDS Read Replicas provide read-only replicas of the database and the ability to scale out beyond the capacity of a single database deployment for read-heavy database workloads.
RDS Read Replicas is a scalability and not a High Availability solution. However, cross-region Read Replicas can be manually promoted for disaster recovery.
Amazon RDS now supports ENA Express for Multi-AZ replication (2026), using Scalable Reliable Datagram (SRD) to improve replication performance by distributing traffic across multiple network paths.

Simple Storage Service – S3

S3 provides highly durable (99.999999999% / 11 9s), fault-tolerant and redundant object store.
S3 stores objects redundantly on multiple devices across multiple facilities in an S3 Region.
S3 is a great storage solution for somewhat static or slow-changing objects, such as images, videos, and other static media.
S3 also supports edge caching and streaming of these assets by interacting with the Amazon CloudFront service.
S3 Cross-Region Replication (CRR) automatically replicates objects to a bucket in another region, enabling disaster recovery and low-latency access for globally distributed users.
S3 Express One Zone delivers up to 10x faster performance with single-digit millisecond latency for frequently accessed data, but note it stores data in a single AZ (not suitable as the sole copy for fault tolerance).

Simple Queue Service – SQS

Simple Queue Service (SQS) is a highly reliable distributed messaging system that can serve as the backbone of a fault-tolerant application.
SQS is engineered to provide “at least once” delivery of all messages in standard queues. FIFO queues provide exactly-once processing and strict message ordering.
Messages sent to a queue are retained for up to 4 days (by default, can be extended up to 14 days) or until they are read and deleted by the application.
Messages can be polled by multiple workers and processed, while SQS takes care that a request is processed by only one worker at a time using a configurable time interval called visibility timeout.
If the number of messages in a queue starts to grow or if the average time to process a message becomes too high, workers can be scaled upwards by simply adding additional EC2 instances.
Dead-letter queues (DLQs) capture messages that cannot be processed successfully. DLQ redrive allows moving messages back to source queues for reprocessing.
FIFO queues support up to 70,000 messages per second with high throughput mode and up to 120K in-flight messages (increased from 20K in November 2024).

Route 53

Amazon Route 53 is a highly available and scalable DNS web service.
Queries for the domain are automatically routed to the nearest DNS server and thus are answered with the best possible performance.
Route 53 resolves requests for your domain name (for example, www.example.com) to your Elastic Load Balancer, as well as your zone apex record (example.com).
Route 53 supports multiple routing policies for HA: Failover (active-passive), Latency-based, Weighted, Geolocation, Geoproximity (expanded to public/private hosted zones in 2024), and Multivalue Answer.
Route 53 health checks can monitor endpoint health and trigger DNS failover automatically.
Route 53 Accelerated Recovery (2026) ensures customers can continue making DNS changes even during regional AWS outages, providing greater predictability for mission-critical applications.

CloudFront

CloudFront can be used to deliver website content, including dynamic, static and streaming content using a global network of edge locations.
Requests for your content are automatically routed to the nearest edge location, so content is delivered with the best possible performance.
CloudFront is optimized to work with other Amazon Web Services, like S3 and EC2.
CloudFront also works seamlessly with any non-AWS origin server, which stores the original, definitive versions of your files.
CloudFront Functions run lightweight JavaScript at edge locations for request/response customization. Lambda@Edge provides full compute capabilities at Regional Edge Caches.
VPC Origins allow CloudFront to fetch content directly from private resources within a VPC without exposing them to the public internet.
Origin Shield acts as an additional caching layer to reduce the load on origins and improve cache hit ratios for multi-region architectures.

DynamoDB Global Tables

DynamoDB Global Tables provide a fully managed, multi-Region, multi-active database solution for globally distributed applications.
Global Tables automatically replicate data across your choice of AWS Regions. Every replica table in every Region can accept both reads and writes.
Changes made to an item in one Region are typically replicated to all other replica Regions within a second.
Multi-Region Strong Consistency (MRSC), generally available since June 2025, provides zero RPO (Recovery Point Objective) by enabling strongly consistent reads from any Region. This is the highest level of application resilience for DynamoDB.
Global Tables now support cross-account replication (2026), enabling multi-account multi-region architectures.
Global Tables replace the previous cross-region replication approach (DynamoDB Streams-based) with a fully managed, zero-administration solution.

AWS Resilience Hub

AWS Resilience Hub is a central location to define, track, and manage the resilience of applications.
It enables you to define resilience goals (RTO/RPO), assess your resilience posture against those goals, and implement recommendations based on the AWS Well-Architected Framework.
Resilience Hub performs automated resilience assessments and identifies gaps in your architecture, such as missing Multi-AZ deployments or lack of backup strategies.
Integrates with AWS Fault Injection Service (FIS) to run chaos experiments directly from the Resilience Hub console.
The next generation of Resilience Hub (GA May 2026) uses generative AI to provide a structured resilience journey for SRE and development teams.

AWS Fault Injection Service (FIS)

AWS FIS is a managed chaos engineering service that enables you to perform controlled fault injection experiments on your AWS workloads.
FIS helps simulate real-world failures (AZ disruptions, instance failures, network degradation, API throttling) to validate fault tolerance of your architecture.
Supports actions targeting EC2, ECS, EKS, RDS, Lambda functions (native integration since October 2024), and more.
Amazon.com ran 733 AWS FIS experiments to prepare for Prime Day 2024.
Experiments can be generated using natural language through Amazon Bedrock integration (2025).

Amazon Application Recovery Controller (ARC)

ARC helps manage and coordinate recovery for applications across AWS Regions and Availability Zones.
Zonal Shift allows you to quickly shift traffic for a resource (ALB, NLB, EKS, Auto Scaling group) away from an impaired AZ to healthy AZs.
Zonal Autoshift enables AWS to automatically shift traffic away from an AZ when internal telemetry detects a potential impairment — without manual intervention.
Routing Controls provide manual override capabilities for cross-region failover of applications.
Zonal shift and zonal autoshift are available at no additional cost.
Supported resources include ALB, NLB, EC2 Auto Scaling groups, EKS clusters, and Karpenter (2026).

AWS Certification Exam Practice Questions

AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated.

Open to further feedback, discussion and correction.

You are moving an existing traditional system to AWS, and during the migration discover that there is a master server which is a single point of failure. Having examined the implementation of the master server you realize there is not enough time during migration to re-engineer it to be highly available, though you do discover that it stores its state in a local MySQL database. In order to minimize down-time you select RDS to replace the local database and configure master to use it, what steps would best allow you to create a self-healing architecture[PROFESSIONAL]
1. Migrate the local database into multi-AZ RDS database. Place master node into a multi-AZ auto-scaling group with a minimum of one and maximum of one with health checks.
2. Replicate the local database into a RDS read replica. Place master node into a Cross-Zone ELB with a minimum of one and maximum of one with health checks. (Read Replica does not provide HA and write capability and ELB does not have feature for Min and Max 1 and Cross Zone allows just the equal distribution of load across instances)
3. Migrate the local database into multi-AZ RDS database. Place master node into a Cross-Zone ELB with a minimum of one and maximum of one with health checks. (ELB does not have feature for Min and Max 1 and Cross Zone allows just the equal distribution of load across instances)
4. Replicate the local database into a RDS read replica. Place master node into a multi-AZ auto-scaling group with a minimum of one and maximum of one with health checks. (Read Replica does not provide HA and write capability)
You are designing Internet connectivity for your VPC. The Web servers must be available on the Internet. The application must have a highly available architecture. Which alternatives should you consider? (Choose 2 answers)
1. Configure a NAT instance in your VPC. Create a default route via the NAT instance and associate it with all subnets. Configure a DNS A record that points to the NAT instance public IP address (NAT is for internet connectivity for instances in private subnet)
2. Configure a CloudFront distribution and configure the origin to point to the private IP addresses of your Web servers. Configure a Route53 CNAME record to your CloudFront distribution.
3. Place all your web servers behind ELB. Configure a Route53 CNAME to point to the ELB DNS name.
4. Assign EIPs to all web servers. Configure a Route53 record set with all EIPs. With health checks and DNS failover.
When deploying a highly available 2-tier web application on AWS, which combination of AWS services meets the requirements? 1. AWS Direct Connect 2. Amazon Route 53 3. AWS Storage Gateway 4. Elastic Load Balancing 4. Amazon EC2 5. Auto scaling 6. Amazon VPC 7. AWS Cloud Trail [PROFESSIONAL]
1. 2,4,5 and 6
2. 3,4,5 and 8
3. 1 through 8
4. 1,3,5 and 7
5. 1,2,5 and 6
Company A has hired you to assist with the migration of an interactive website that allows registered users to rate local restaurants. Updates to the ratings are displayed on the home page, and ratings are updated in real time. Although the website is not very popular today, the company anticipates that It will grow rapidly over the next few weeks. They want the site to be highly available. The current architecture consists of a single Windows Server 2008 R2 web server and a MySQL database running on Linux. Both reside inside an on-premises hypervisor. What would be the most efficient way to transfer the application to AWS, ensuring performance and high-availability? [PROFESSIONAL]
1. Export web files to an Amazon S3 bucket in us-west-1. Run the website directly out of Amazon S3. Launch a multi-AZ MySQL Amazon RDS instance in us-west-1a. Import the data into Amazon RDS from the latest MySQL backup. Use Route 53 and create an alias record pointing to the elastic load balancer. (Its an Interactive website, although it can be implemented using Javascript SDK, its a migration and the application would need changes. Also no use of ELB if hosted on S3)
2. Launch two Windows Server 2008 R2 instances in us-west-1b and two in us-west-1a. Copy the web files from on premises web server to each Amazon EC2 web server, using Amazon S3 as the repository. Launch a multi-AZ MySQL Amazon RDS instance in us-west-2a. Import the data into Amazon RDS from the latest MySQL backup. Create an elastic load balancer to front your web servers. Use Route 53 and create an alias record pointing to the elastic load balancer. (Although RDS instance is in a different region which will impact performance, this is the only option that works.)
3. Use AWS VM Import/Export to create an Amazon Elastic Compute Cloud (EC2) Amazon Machine Image (AMI) of the web server. Configure Auto Scaling to launch two web servers in us-west-1a and two in us-west-1b. Launch a Multi-AZ MySQL Amazon Relational Database Service (RDS) instance in us-west-1b. Import the data into Amazon RDS from the latest MySQL backup. Use Amazon Route 53 to create a hosted zone and point an A record to the elastic load balancer. (does not create a load balancer)
4. Use AWS VM Import/Export to create an Amazon EC2 AMI of the web server. Configure auto-scaling to launch two web servers in us-west-1a and two in us-west-1b. Launch a multi-AZ MySQL Amazon RDS instance in us-west-1a. Import the data into Amazon RDS from the latest MySQL backup. Create an elastic load balancer to front your web servers. Use Amazon Route 53 and create an A record pointing to the elastic load balancer. (Need to create an aliased record without which the Route 53 pointing to ELB would not work)
Your company runs a customer facing event registration site. This site is built with a 3-tier architecture with web and application tier servers and a MySQL database. The application requires 6 web tier servers and 6 application tier servers for normal operation, but can run on a minimum of 65% server capacity and a single MySQL database. When deploying this application in a region with three availability zones (AZs) which architecture provides high availability? [PROFESSIONAL]
1. A web tier deployed across 2 AZs with 3 EC2 (Elastic Compute Cloud) instances in each AZ inside an Auto Scaling Group behind an ELB (elastic load balancer), and an application tier deployed across 2 AZs with 3 EC2 instances in each AZ inside an Auto Scaling Group behind an ELB. and one RDS (Relational Database Service) instance deployed with read replicas in the other AZ.
2. A web tier deployed across 3 AZs with 2 EC2 (Elastic Compute Cloud) instances in each AZ inside an Auto Scaling Group behind an ELB (elastic load balancer) and an application tier deployed across 3 AZs with 2 EC2 instances in each AZ inside an Auto Scaling Group behind an ELB and one RDS (Relational Database Service) Instance deployed with read replicas in the two other AZs.
3. A web tier deployed across 2 AZs with 3 EC2 (Elastic Compute Cloud) instances in each AZ inside an Auto Scaling Group behind an ELB (elastic load balancer) and an application tier deployed across 2 AZs with 3 EC2 instances m each AZ inside an Auto Scaling Group behind an ELB and a Multi-AZ RDS (Relational Database Service) deployment.
4. A web tier deployed across 3 AZs with 2 EC2 (Elastic Compute Cloud) instances in each AZ Inside an Auto Scaling Group behind an ELB (elastic load balancer). And an application tier deployed across 3 AZs with 2 EC2 instances in each AZ inside an Auto Scaling Group behind an ELB. And a Multi-AZ RDS (Relational Database services) deployment.
For a 3-tier, customer facing, inclement weather site utilizing a MySQL database running in a Region which has two AZs which architecture provides fault tolerance within the region for the application that minimally requires 6 web tier servers and 6 application tier servers running in the web and application tiers and one MySQL database? [PROFESSIONAL]
1. A web tier deployed across 2 AZs with 6 EC2 (Elastic Compute Cloud) instances in each AZ inside an Auto Scaling Group behind an ELB (elastic load balancer), and an application tier deployed across 2 AZs with 6 EC2 instances in each AZ inside an Auto Scaling Group behind an ELB. and a Multi-AZ RDS (Relational Database Service) deployment. (As it needs Fault Tolerance with minimal 6 servers always available)
2. A web tier deployed across 2 AZs with 3 EC2 (Elastic Compute Cloud) instances in each A2 inside an Auto Scaling Group behind an ELB (elastic load balancer) and an application tier deployed across 2 AZs with 3 EC2 instances in each AZ inside an Auto Scaling Group behind an ELB and a Multi-AZ RDS (Relational Database Service) deployment.
3. A web tier deployed across 2 AZs with 3 EC2 (Elastic Compute Cloud) instances in each AZ inside an Auto Scaling Group behind an ELB (elastic load balancer) and an application tier deployed across 2 AZs with 6 EC2 instances in each AZ inside an Auto Scaling Group behind an ELB and one RDS (Relational Database Service) Instance deployed with read replicas in the other AZs.
4. A web tier deployed across 1 AZs with 6 EC2 (Elastic Compute Cloud) instances in each AZ Inside an Auto Scaling Group behind an ELB (elastic load balancer). And an application tier deployed in the same AZs with 6 EC2 instances inside an Auto scaling group behind an ELB and a Multi-AZ RDS (Relational Database services) deployment, with 6 stopped web tier EC2 instances and 6 stopped application tier EC2 instances all in the other AZ ready to be started if any of the running instances in the first AZ fails.
You are designing a system which needs, at minimum, 8 m4.large instances operating to service traffic. When designing a system for high availability in the us-east-1 region, which has 6 Availability Zones, you company needs to be able to handle death of a full availability zone. How should you distribute the servers, to save as much cost as possible, assuming all of the EC2 nodes are properly linked to an ELB? Your VPC account can utilize us-east-1’s AZ’s a through f, inclusive.
1. 3 servers in each of AZ’s a through d, inclusive.
2. 8 servers in each of AZ’s a and b.
3. 2 servers in each of AZ’s a through e, inclusive. (You need to design for N+1 redundancy on Availability Zones. ZONE_COUNT = (REQUIRED_INSTANCES / INSTANCE_COUNT_PER_ZONE) + 1. To minimize cost, spread the instances across as many possible zones as you can. By using a though e, you are allocating 5 zones. Using 2 instances, you have 10 total instances. If a single zone fails, you have 4 zones left, with 2 instances each, for a total of 8 instances. By spreading out as much as possible, you have increased cost by only 25% and significantly de-risked an availability zone failure. Refer link)
4. 4 servers in each of AZ’s a through c, inclusive.
You need your API backed by DynamoDB to stay online during a total regional AWS failure. You can tolerate a couple minutes of lag or slowness during a large failure event, but the system should recover with normal operation after those few minutes. What is a good approach? [PROFESSIONAL]
1. Set up DynamoDB Global Tables in a multi-active configuration across two regions. Create an Auto Scaling Group behind an ELB in each of the two regions. Add a Route53 Latency DNS Record with DNS Failover, using the ELBs in the two regions as the resource records. (Use DynamoDB Global Tables (multi-active replication) with two ELBs and ASGs with Route53 Failover and Latency DNS. Note: DynamoDB Global Tables now also support Multi-Region Strong Consistency (MRSC) for zero RPO since June 2025.)
2. Set up a DynamoDB Multi-Region table. Create an Auto Scaling Group behind an ELB in each of the two regions DynamoDB is running in. Add a Route53 Latency DNS Record with DNS Failover, using the ELBs in the two regions as the resource records. (This is now essentially correct with DynamoDB Global Tables being the multi-region solution. However at the time of the question, this option was considered incorrect.)
3. Set up a DynamoDB Multi-Region table. Create a cross-region ELB pointing to a cross-region Auto Scaling Group, and direct a Route53 Latency DNS Record with DNS Failover to the cross-region ELB. (No such thing as Cross Region ELB or cross-region ASG)
4. Set up DynamoDB cross-region replication in a master-standby configuration, with a single standby in another region. Create a cross-region ELB pointing to a cross-region Auto Scaling Group, and direct a Route53 Latency DNS Record with DNS Failover to the cross-region ELB. (No such thing as cross-region ELB or cross-region ASG)
You are putting together a WordPress site for a local charity and you are using a combination of Route53, Elastic Load Balancers, EC2 & RDS. You launch your EC2 instance, download WordPress and setup the configuration files connection string so that it can communicate to RDS. When you browse to your URL however, nothing happens. Which of the following could NOT be the cause of this.
1. You have forgotten to open port 80/443 on your security group in which the EC2 instance is placed.
2. Your elastic load balancer has a health check, which is checking a webpage that does not exist; therefore your EC2 instance is not in service.
3. You have not configured an ALIAS for your A record to point to your elastic load balancer
4. You have locked port 22 down to your specific IP address therefore users cannot access your site using HTTP/HTTPS
A development team that is currently doing a nightly six-hour build which is lengthening over time on-premises with a large and mostly under utilized server would like to transition to a continuous integration model of development on AWS with multiple builds triggered within the same day. However, they are concerned about cost, security and how to integrate with existing on-premises applications such as their LDAP and email servers, which cannot move off-premises. The development environment needs a source code repository; a project management system with a MySQL database resources for performing the builds and a storage location for QA to pick up builds from. What AWS services combination would you recommend to meet the development team’s requirements? [PROFESSIONAL]
1. A Bastion host Amazon EC2 instance running a VPN server for access from on-premises, Amazon EC2 for the source code repository with attached Amazon EBS volumes, Amazon EC2 and Amazon RDS MySQL for the project management system, EIP for the source code repository and project management system, Amazon SQS for a build queue, An Amazon Auto Scaling group of Amazon EC2 instances for performing builds and Amazon Simple Email Service for sending the build output. (Bastion is not for VPN connectivity also SES should not be used)
2. An AWS Storage Gateway for connecting on-premises software applications with cloud-based storage securely, Amazon EC2 for the resource code repository with attached Amazon EBS volumes, Amazon EC2 and Amazon RDS MySQL for the project management system, EIPs for the source code repository and project management system, Amazon Simple Notification Service for a notification initiated build, An Auto Scaling group of Amazon EC2 instances for performing builds and Amazon S3 for the build output. (Storage Gateway does not provide secure connectivity, still needs VPN. SNS alone cannot handle builds)
3. An AWS Storage Gateway for connecting on-premises software applications with cloud-based storage securely, Amazon EC2 for the resource code repository with attached Amazon EBS volumes, Amazon EC2 and Amazon RDS MySQL for the project management system, EIPs for the source code repository and project management system, Amazon SQS for a build queue, An Amazon Elastic Map Reduce (EMR) cluster of Amazon EC2 instances for performing builds and Amazon CloudFront for the build output. (Storage Gateway does not provide secure connectivity, still needs VPN. EMR is not ideal for performing builds as it needs normal EC2 instances)
4. A VPC with a VPN Gateway back to their on-premises servers, Amazon EC2 for the source-code repository with attached Amazon EBS volumes, Amazon EC2 and Amazon RDS MySQL for the project management system, EIPs for the source code repository and project management system, SQS for a build queue, An Auto Scaling group of EC2 instances for performing builds and S3 for the build output. (VPN gateway is required for secure connectivity. SQS for build queue and EC2 for builds)
Which of the following AWS services and features are essential for building a modern, highly available fault-tolerant architecture? (Choose 3) [NEW – 2025]
1. Amazon Application Recovery Controller (ARC) with zonal autoshift
2. AWS CloudTrail
3. AWS Fault Injection Service (FIS) for resilience testing
4. RDS Multi-AZ DB Cluster with readable standbys
5. Amazon Inspector
A company needs its DynamoDB-backed application to survive a complete regional failure with zero data loss (zero RPO). Which approach best achieves this requirement? [NEW – 2025]
1. Use DynamoDB Streams to replicate data to another region manually.
2. Use DynamoDB point-in-time recovery (PITR) with cross-region backups.
3. Use DynamoDB Global Tables with Multi-Region Strong Consistency (MRSC). (MRSC, GA since June 2025, enables zero RPO with strongly consistent reads from any region.)
4. Use DynamoDB On-Demand backup and restore to a secondary region.
An application runs behind an Application Load Balancer across 3 AZs. During an AZ impairment detected by AWS, what feature can automatically redirect traffic away from the affected AZ without manual intervention? [NEW – 2025]
1. Route 53 health check failover
2. ALB Cross-Zone load balancing
3. Amazon Application Recovery Controller (ARC) zonal autoshift (ARC zonal autoshift automatically shifts traffic away from an impaired AZ when AWS internal telemetry detects issues, without requiring manual intervention.)
4. Auto Scaling AZ rebalancing

References

AWS Risk and Compliance – Whitepaper – Certification

November 7, 2016 ~ Last updated on : June 24, 2026 ~ jayendrapatil ~ 2 Comments

AWS Risk and Compliance Whitepaper Overview

⚠️ Note: The original AWS Risk and Compliance Whitepaper (last updated March 2021) is now marked as “for historical reference only” by AWS. However, the core concepts of Shared Responsibility, Risk Governance, and Compliance Programs remain fully applicable. This post has been updated to reflect current AWS compliance practices, tools, and programs as of 2025.

AWS Risk and Compliance Whitepaper is intended to provide information to assist AWS customers with integrating AWS into their existing control framework supporting their IT environment.
AWS does communicate its security and control environment relevant to customers. AWS does this by doing the following:
- Obtaining industry certifications and independent third-party attestations described in this document
- Publishing information about the AWS security and control practices in whitepapers and web site content
- Providing certificates, reports, and other documentation directly to AWS customers under NDA (as required)
- Providing on-demand access to compliance reports through AWS Artifact — a self-service portal in the AWS Management Console

Shared Responsibility Model

AWS’ part in the shared responsibility includes
- providing its services on a highly secure and controlled platform and providing a wide array of security features customers can use
- relieves the customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates
- Security “of” the Cloud — AWS is responsible for protecting the infrastructure that runs all services offered in the AWS Cloud, including hardware, software, networking, and facilities
Customers’ responsibility includes
- configuring their IT environments in a secure and controlled manner for their purposes
- Security “in” the Cloud — responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall
- stringent compliance requirements by leveraging technology such as host based firewalls, host based intrusion detection/prevention, encryption and key management
- relieve customer burden of operating controls by managing those controls associated with the physical infrastructure deployed in the AWS environment
The Shared Responsibility Model also extends to IT controls — management, operation, and verification of IT controls is a shared responsibility
Responsibility varies depending on the services used:
- Infrastructure Services (e.g., EC2) — Customer manages OS, firewall, network configuration, identity management
- Container Services (e.g., RDS, ECS) — AWS manages OS and platform; customer manages network access, firewall rules, identity
- Abstract Services (e.g., S3, DynamoDB, Lambda) — AWS manages platform, OS, server, networking; customer manages data, client-side encryption, access policies

Risk and Compliance Governance

AWS provides a wide range of information regarding its IT control environment to customers through white papers, reports, certifications, and other third-party attestations
AWS customers are required to continue to maintain adequate governance over the entire IT control environment regardless of how IT is deployed.
Leading practices include
- an understanding of required compliance objectives and requirements (from relevant sources),
- establishment of a control environment that meets those objectives and requirements,
- an understanding of the validation required based on the organization’s risk tolerance,
- and verification of the operating effectiveness of their control environment.
Strong customer compliance and governance might include the following basic approach:
- Review information available from AWS together with other information to understand as much of the entire IT environment as possible, and then document all compliance requirements.
- Design and implement control objectives to meet the enterprise compliance requirements.
- Identify and document controls owned by outside parties.
- Verify that all control objectives are met and all key controls are designed and operating effectively.
Approaching compliance governance in this manner helps companies gain a better understanding of their control environment and will help clearly delineate the verification activities to be performed.

AWS Compliance Programs, Certifications, and Third-Party Attestations

AWS engages with external certifying bodies and independent auditors to provide customers with considerable information regarding the policies, processes, and controls established and operated by AWS.
AWS provides third-party attestations, certifications, Service Organization Controls (SOC) reports and other relevant compliance reports directly to customers through AWS Artifact.
Key Compliance Programs include:
- SOC 1, 2, and 3 Reports — Covers 188 services (as of Spring 2026), available in machine-readable OSCAL format
- PCI DSS — Updated to PCI DSS v4.0; accessible through AWS Artifact
- ISO Certifications — ISO 27001, 27017, 27018, 27701, 22301, 9001, and CSA STAR CCM v4
- FedRAMP — Federal Risk and Authorization Management Program (Moderate and High baselines)
- HIPAA — Healthcare compliance through Business Associate Addendum (BAA)
- C5 — Cloud Computing Compliance Criteria Catalogue (183 services in scope)
- NIST SP 800-53 — National Institute of Standards and Technology framework
- NIST CSF 2.0 — Updated whitepaper aligning AWS services to the six Core Functions (Govern, Identify, Protect, Detect, Respond, Recover)
- NIST SP 800-171 Rev. 2 — Protecting Controlled Unclassified Information (CUI)

AWS Compliance Tools and Services

AWS Artifact
- Self-service portal providing on-demand access to AWS compliance reports
- Download SOC reports, PCI DSS certifications, ISO certificates, and other attestations
- Access previous versions of compliance reports without contacting AWS Support
- Accept and manage agreements (e.g., BAA for HIPAA) on behalf of your account or organization
AWS Audit Manager
- Continuously audit AWS usage to simplify risk and compliance assessment
- Automates evidence collection mapped to specific compliance controls
- Prebuilt frameworks for SOC 2, PCI DSS, GDPR, HIPAA, NIST, CIS, and more
- Common control library with predefined and pre-mapped AWS data sources
- Custom frameworks and controls creation capability
AWS Security Hub
- Cloud Security Posture Management (CSPM) with automated security checks
- Supported standards: AWS Foundational Security Best Practices, CIS AWS Foundations Benchmark, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS
- Security scores for each enabled standard
- Central configuration for multi-account deployments
AWS Control Tower
- Governance and compliance controls for multi-account AWS environments
- Supports frameworks: CIS v8.0, FedRAMP r4, ISO 27001:2013, NIST CSF v1.1, NIST SP 800-171 r2, PCI DSS v4.0, SOC 2
- Guardrails (preventive, detective, proactive) for compliance enforcement

Key Risk and Compliance Questions

Shared Responsibility
- AWS controls the physical components of that technology.
- Customer owns and controls everything else, including control over connection points and transmissions
Auditing IT
- Auditing for most layers and controls above the physical controls remains the responsibility of the customer
- AWS ISO 27001 and other certifications are available for auditors review
- AWS-defined logical and physical controls is documented in the SOC 1 Type II report and available for review by audit and compliance teams
- AWS Audit Manager automates evidence collection and maps it to compliance controls for streamlined audit preparation
Data location
- AWS customers control which physical region their data and their servers will be located
- AWS replicates the data only within the region
- AWS will not move customers’ content from the selected Regions without notifying the customer, unless required to comply with the law or requests of governmental entities
- Data Sovereignty Options: AWS Dedicated Local Zones, AWS Outposts, and Local Zones provide additional data residency controls for regulated workloads
Data center tours
- As AWS host multiple customers, AWS does not allow data center tours by customers, as this exposes a wide range of customers to physical access of a third party.
- An independent and competent auditor validates the presence and operation of controls as part of our SOC 1 Type II report.
- This third-party validation provides customers with the independent perspective of the effectiveness of controls in place.
- AWS customers can access SOC reports and other attestations directly through AWS Artifact without signing a separate NDA.
Third-party access
- AWS strictly controls access to data centers, even for internal employees.
- Third parties are not provided access to AWS data centers except when explicitly approved by the appropriate AWS data center manager per the AWS access policy
Multi-tenancy
- AWS environment is a virtualized, multi-tenant environment.
- AWS has implemented security management processes, PCI controls, and other security controls designed to isolate each customer from other customers.
- AWS systems are designed to prevent customers from accessing physical hosts or instances not assigned to them by filtering through the virtualization software.
Hypervisor
- ~~Amazon EC2 utilized a highly customized version of Xen hypervisor.~~
- Update (2025): Modern EC2 instance types (C5, M5, and newer) use the AWS Nitro System, which replaces the traditional Xen hypervisor with purpose-built hardware and a lightweight hypervisor. Legacy instance types (T2, M3, C3) still use Xen.
- The Nitro System provides stronger security isolation through dedicated hardware for networking, storage, and security functions, reducing the attack surface
- The Nitro hypervisor is a minimal, firmware-level component that provides memory and CPU isolation but has no network access, no persistent storage, and no interactive login
Vulnerability management
- AWS is responsible for patching systems supporting the delivery of service to customers, such as the hypervisor and networking services
Encryption
- AWS allows customers to use their own encryption mechanisms for nearly all the services, including S3, EBS, and EC2.
- IPSec tunnels to VPC are also encrypted
- AWS Key Management Service (KMS) provides centralized key management with FIPS 140-3 Security Level 3 validated hardware security modules (HSMs)
- AWS KMS supports post-quantum cryptography (ML-KEM for key agreement, ML-DSA for digital signatures) for future-proof encryption
- AWS CloudHSM provides dedicated FIPS 140-3 validated hardware security modules for customers needing full control over keys
- Most AWS services now offer encryption at rest by default using AWS-owned or customer-managed KMS keys
Data isolation
- All data stored by AWS on behalf of customers has strong tenant isolation security and control capabilities
Composite services
- AWS does not leverage any third-party cloud providers to deliver AWS services to customers.
Distributed Denial Of Service (DDoS) attacks
- AWS network provides significant protection against traditional network security issues and the customer can implement further protection
- AWS Shield Standard — Free, automatic protection against common Layer 3/4 DDoS attacks for all AWS customers
- AWS Shield Advanced — Managed DDoS protection with 24/7 access to AWS Shield Response Team (SRT), DDoS cost protection, and automatic application layer (L7) DDoS mitigation
Data portability
- AWS allows customers to move data as needed on and off AWS storage
Service & Customer provider business continuity
- AWS does operate a business continuity program
- AWS data centers incorporate physical protection against environmental risks.
- AWS’ physical protection against environmental risks has been validated by an independent auditor and has been certified
- AWS provides customers with the capability to implement a robust continuity plan with multi region/AZ deployment architectures, backups, data redundancy replication
Capability to scale
- AWS cloud is distributed, highly secure and resilient, giving customers massive scale potential.
- Customers may scale up or down, paying for only what they use
Service availability
- AWS does commit to high levels of availability in its service level agreements (SLA) for e.g. S3 99.99% availability
Application Security
- AWS system development lifecycle incorporates industry best practices which include formal design reviews by the AWS Security Team, source code analysis, threat modeling and completion of a risk assessment
- AWS does not generally outsource development of software.
Threat and Vulnerability Management
- AWS Security regularly engages independent security firms to perform external vulnerability threat assessments
- AWS Security regularly scans all Internet facing service endpoint IP addresses for vulnerabilities, but do not include customer instances
- AWS Security notifies the appropriate parties to remediate any identified vulnerabilities.
- Updated Penetration Testing Policy: AWS no longer requires advance approval for penetration testing against customer-owned resources for the following services: EC2, NAT Gateways, Elastic Load Balancers, RDS, CloudFront, Aurora, API Gateway, Lambda, Lambda@Edge, Lightsail, and Elastic Beanstalk
- Prohibited Activities still include: DNS zone walking, DoS/DDoS attacks, port flooding, protocol flooding, and request flooding (unless using approved AWS services like Shield Advanced testing)
Data Security
- Customers retain full ownership and control of their data
- AWS provides multiple encryption options for data at rest and data in transit
- AWS KMS provides centralized key management with audit trails via AWS CloudTrail

AWS Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

When preparing for a compliance assessment of your system built inside of AWS. What are three best practices for you to prepare for an audit? Choose 3 answers
1. Gather evidence of your IT operational controls (Customer still needs to gather all the IT operation controls inline with their environment)
2. Request and obtain applicable third-party audited AWS compliance reports and certifications (Customers can request the reports and certifications produced by our third-party auditors or can request more information about AWS Compliance via AWS Artifact)
3. Request and obtain a compliance and security tour of an AWS data center for a pre-assessment security review (AWS does not allow data center tour)
4. Request and obtain approval from AWS to perform relevant network scans and in-depth penetration tests of your system’s Instances and endpoints (Note: AWS no longer requires prior approval for pen testing on permitted services (EC2, RDS, CloudFront, etc.), but the answer remains valid in exam context as it was the original requirement)
5. Schedule meetings with AWS’s third-party auditors to provide evidence of AWS compliance that maps to your control objectives (Customers can request the reports and certifications produced by our third-party auditors or can request more information about AWS Compliance)
In the shared security model, AWS is responsible for which of the following security best practices (check all that apply) :
1. Penetration testing
2. Operating system account security management
3. Threat modeling
4. User group access management
5. Static code analysis
You are running a web-application on AWS consisting of the following components an Elastic Load Balancer (ELB) an Auto-Scaling Group of EC2 instances running Linux/PHP/Apache, and Relational DataBase Service (RDS) MySQL. Which security measures fall into AWS’s responsibility?
1. Protect the EC2 instances against unsolicited access by enforcing the principle of least-privilege access (Customer owned)
2. Protect against IP spoofing or packet sniffing
3. Assure all communication between EC2 instances and ELB is encrypted (Customer owned)
4. Install latest security patches on ELB, RDS and EC2 instances (Customer owned for EC2 instances; AWS owned for ELB and RDS infrastructure)
Which of the following statements is true about achieving PCI certification on the AWS platform? (Choose 2)
1. Your organization owns the compliance initiatives related to anything placed on the AWS infrastructure
2. Amazon EC2 instances must run on a single-tenancy environment (dedicated instance)
3. AWS manages card-holder environments
4. AWS Compliance provides assurance related to the underlying infrastructure
A company needs to continuously audit its AWS usage to ensure compliance with internal policies and regulatory standards. Which AWS service should they use?
1. AWS Config
2. AWS Audit Manager (AWS Audit Manager continuously audits AWS usage and automates evidence collection for compliance assessments)
3. AWS CloudTrail
4. Amazon Inspector
Which AWS service provides a centralized view of security alerts and compliance status across multiple AWS accounts?
1. Amazon GuardDuty
2. AWS Config
3. AWS Security Hub (Security Hub provides centralized security posture management with automated compliance checks against standards like CIS, NIST, and PCI DSS)
4. AWS CloudTrail
A company needs to download AWS SOC 2 and PCI DSS compliance reports for their auditors. Which AWS service provides on-demand access to these reports?
1. AWS Config
2. AWS Security Hub
3. AWS Trusted Advisor
4. AWS Artifact (AWS Artifact is the self-service portal for on-demand access to AWS compliance reports, certifications, and agreements)
Under the AWS Shared Responsibility Model, which of the following is the customer’s responsibility for Amazon RDS? (Choose 2)
1. Patching the database engine
2. Managing database users and permissions
3. Replacing failed hardware
4. Configuring security groups to control network access
5. OS-level patching of the underlying instance

References

AWS Storage Options – Whitepaper – Certification

May 29, 2016 ~ Last updated on : June 24, 2026 ~ jayendrapatil ~ 58 Comments

AWS Storage Options – Whitepaper – Certification

📋 Whitepaper Archived

The original AWS Storage Options whitepaper has been archived by AWS. AWS now recommends referring to the Storage section in the AWS Overview whitepaper or the AWS Cloud Storage page for current storage guidance.

This content is maintained and updated for certification exam preparation as the core storage concepts and service selection patterns remain highly relevant.

AWS Storage Options is one of the most important topics for AWS Solution Architect Professional Certification exam and covers a brief summary of each AWS storage option, their ideal usage patterns, anti-patterns, performance, durability and availability, scalability etc.

Overview

AWS offers multiple cloud-based storage options. Each has a unique combination of performance, durability, availability, cost, and interface, as well as other characteristics such as scalability and elasticity
All storage options are ideally suited for some use cases and there are certain Anti-Patterns which should be taken into account while making a storage choice
AWS storage services now span object storage, block storage, file storage, archival storage, hybrid storage, data transfer, and backup services

AWS Various Storage Options

AWS Storage Services

Amazon S3 & S3 Glacier Storage Classes

More Details @ AWS Storage Options – S3 & Glacier

Key Updates (2024-2026):

S3 Glacier is now three separate storage classes:
- S3 Glacier Instant Retrieval – millisecond retrieval for rarely accessed data
- S3 Glacier Flexible Retrieval (formerly S3 Glacier) – minutes to hours retrieval
- S3 Glacier Deep Archive – lowest cost, 12-48 hour retrieval
S3 Express One Zone (launched 2023) – up to 10x faster performance than S3 Standard, single-digit millisecond latency, designed for most frequently accessed data. Received up to 85% price reduction in 2025.
S3 Tables (launched Dec 2024) – fully managed Apache Iceberg tables optimized for analytics workloads with up to 3x faster query throughput
S3 Intelligent-Tiering – now includes Archive Instant Access, Archive Access, and Deep Archive Access tiers

Amazon Elastic Block Store (EBS) & Instance Store Volumes

More details @ AWS Storage Options – EBS & Instance Store

Amazon EFS (Elastic File System)

Fully managed, elastic NFS file system for Linux workloads
Supports machine learning, big data analytics, web serving, and content management
Scales automatically without provisioning or managing capacity
Offers Standard and Infrequent Access storage classes with lifecycle management

Amazon FSx Family

FSx for Windows File Server – fully managed Windows-native file system
FSx for Lustre – high-performance file system for compute-intensive workloads (new Elastic storage class launched 2025)
FSx for NetApp ONTAP – fully managed shared storage with NetApp ONTAP (2nd gen file systems in 2024)
FSx for OpenZFS – fully managed OpenZFS file system (Intelligent-Tiering storage class launched Dec 2024, saves up to 85%)

Key Updates:

Storage Gateway continues to provide S3 File Gateway, Tape Gateway, and Volume Gateway
FSx File Gateway is no longer available to new customers (effective October 28, 2024). Existing customers should migrate to direct Amazon FSx for Windows File Server access.
All Storage Gateway appliances must migrate from Amazon Linux 2 to AL2023 for continued updates

AWS Data Transfer & Migration Services

⚠️ AWS Import/Export & Snow Family Updates:

AWS Import/Export (original disk-shipping service) – deprecated long ago, replaced by Snow Family
AWS Snowmobile – Retired in March 2024. Service is no longer available.
AWS Snowcone – Discontinued effective November 12, 2024. Support ended November 12, 2025.
AWS Snowball Edge – Only available to existing customers as of November 7, 2025. Not available to new customers.

Recommended Replacements:

AWS DataSync – for online data transfers (now supports cross-cloud transfers to Google Cloud, Azure, Oracle Cloud as of 2025)
AWS Data Transfer Terminal (launched Dec 2024) – secure physical locations where you bring your storage devices and connect directly to the AWS network for high-speed uploads to S3, EFS, and other services
AWS Outposts – for edge computing use cases previously served by Snow devices
AWS Partner solutions – for specialized migration needs

AWS Backup

Fully managed, centralized backup service that automates data protection across AWS services and hybrid workloads
Supports EC2, EBS, RDS, DynamoDB, EFS, FSx, S3, Storage Gateway, and Amazon EKS (added 2025)
Provides ransomware detection and recovery capabilities
Supports cross-Region and cross-account backup with AWS Organizations integration
Logically air-gapped vaults for additional protection
Policy-based backup plans with configurable frequency and retention

Deprecated Services Referenced in Exam Questions

⚠️ Amazon Elastic Transcoder – EOL November 13, 2025

Amazon Elastic Transcoder has been discontinued. AWS Elemental MediaConvert is the recommended replacement, offering better performance, more features, and lower pricing. Questions referencing Elastic Transcoder still appear on older exam versions but the correct architectural pattern (S3 + transcoding + CloudFront) remains valid using MediaConvert.

⚠️ Amazon SWF (Simple Workflow Service) – Superseded by Step Functions

While SWF remains available, AWS recommends Step Functions for all new applications. SWF still appears in exam questions but new designs should use Step Functions for workflow orchestration.

AWS Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

You are developing a highly available web application using stateless web servers. Which services are suitable for storing session state data? Choose 3 answers.
1. Elastic Load Balancing
2. Amazon Relational Database Service (RDS)
3. Amazon CloudWatch
4. Amazon ElastiCache
5. Amazon DynamoDB
6. AWS Storage Gateway
Your firm has uploaded a large amount of aerial image data to S3. In the past, in your on-premises environment, you used a dedicated group of servers to oaten process this data and used Rabbit MQ, an open source messaging system, to get job information to the servers. Once processed the data would go to tape and be shipped offsite. Your manager told you to stay with the current design, and leverage AWS archival storage and messaging services to minimize cost. Which is correct? [PROFESSIONAL]
1. Use SQS for passing job messages, use Cloud Watch alarms to terminate EC2 worker instances when they become idle. Once data is processed, change the storage class of the S3 objects to Reduced Redundancy Storage.
2. Setup Auto-Scaled workers triggered by queue depth that use spot instances to process messages in SQS. Once data is processed, change the storage class of the S3 objects to Reduced Redundancy Storage.
3. Setup Auto-Scaled workers triggered by queue depth that use spot instances to process messages in SQS. Once data is processed, change the storage class of the S3 objects to Glacier. (Now S3 Glacier Flexible Retrieval or S3 Glacier Deep Archive)
4. Use SNS to pass job messages use Cloud Watch alarms to terminate spot worker instances when they become idle. Once data is processed, change the storage class of the S3 object to Glacier.
You are developing a new mobile application and are considering storing user preferences in AWS, which would provide a more uniform cross-device experience to users using multiple mobile devices to access the application. The preference data for each user is estimated to be 50KB in size. Additionally 5 million customers are expected to use the application on a regular basis. The solution needs to be cost-effective, highly available, scalable and secure, how would you design a solution to meet the above requirements? [PROFESSIONAL]
1. Setup an RDS MySQL instance in 2 availability zones to store the user preference data. Deploy a public facing application on a server in front of the database to manage security and access credentials
2. Setup a DynamoDB table with an item for each user having the necessary attributes to hold the user preferences. The mobile application will query the user preferences directly from the DynamoDB table. Utilize STS. Web Identity Federation, and DynamoDB Fine Grained Access Control to authenticate and authorize access
3. Setup an RDS MySQL instance with multiple read replicas in 2 availability zones to store the user preference data .The mobile application will query the user preferences from the read replicas. Leverage the MySQL user management and access privilege system to manage security and access credentials.
4. Store the user preference data in S3 Setup a DynamoDB table with an item for each user and an item attribute pointing to the user’ S3 object. The mobile application will retrieve the S3 URL from DynamoDB and then access the S3 object directly utilize STS, Web identity Federation, and S3 ACLs to authenticate and authorize access.
A company is building a voting system for a popular TV show, viewers would watch the performances then visit the show’s website to vote for their favorite performer. It is expected that in a short period of time after the show has finished the site will receive millions of visitors. The visitors will first login to the site using their Amazon.com credentials and then submit their vote. After the voting is completed the page will display the vote totals. The company needs to build the site such that can handle the rapid influx of traffic while maintaining good performance but also wants to keep costs to a minimum. Which of the design patterns below should they use? [PROFESSIONAL]
1. Use CloudFront and an Elastic Load balancer in front of an auto-scaled set of web servers, the web servers will first can the Login With Amazon service to authenticate the user then process the users vote and store the result into a multi-AZ Relational Database Service instance.
2. Use CloudFront and the static website hosting feature of S3 with the Javascript SDK to call the Login With Amazon service to authenticate the user, use IAM Roles to gain permissions to a DynamoDB table to store the users vote.
3. Use CloudFront and an Elastic Load Balancer in front of an auto-scaled set of web servers, the web servers will first call the Login with Amazon service to authenticate the user, the web servers will process the users vote and store the result into a DynamoDB table using IAM Roles for EC2 instances to gain permissions to the DynamoDB table.
4. Use CloudFront and an Elastic Load Balancer in front of an auto-scaled set of web servers, the web servers will first call the Login With Amazon service to authenticate the user, the web servers would process the users vote and store the result into an SQS queue using IAM Roles for EC2 Instances to gain permissions to the SQS queue. A set of application servers will then retrieve the items from the queue and store the result into a DynamoDB table
A large real-estate brokerage is exploring the option to adding a cost-effective location-based alert to their existing mobile application. The application backend infrastructure currently runs on AWS. Users who opt in to this service will receive alerts on their mobile device regarding real-estate offers in proximity to their location. For the alerts to be relevant delivery time needs to be in the low minute count. The existing mobile app has 5 million users across the US. Which one of the following architectural suggestions would you make to the customer? [PROFESSIONAL]
1. Mobile application will submit its location to a web service endpoint utilizing Elastic Load Balancing and EC2 instances. DynamoDB will be used to store and retrieve relevant offers. EC2 instances will communicate with mobile carriers/device providers to push alerts back to mobile application.
2. Use AWS Direct Connect or VPN to establish connectivity with mobile carriers EC2 instances will receive the mobile applications location through carrier connection: RDS will be used to store and relevant offers. EC2 instances will communicate with mobile carriers to push alerts back to the mobile application
3. Mobile application will send device location using SQS. EC2 instances will retrieve the relevant offers from DynamoDB. AWS Mobile Push will be used to send offers to the mobile application (Note: Amazon SNS Mobile Push is now the terminology for mobile push notifications)
4. Mobile application will send device location using AWS Mobile Push. EC2 instances will retrieve the relevant offers from DynamoDB. EC2 instances will communicate with mobile carriers/device providers to push alerts back to the mobile application.
You are running a news website in the eu-west-1 region that updates every 15 minutes. The website has a worldwide audience and it uses an Auto Scaling group behind an Elastic Load Balancer and an Amazon RDS database. Static content resides on Amazon S3, and is distributed through Amazon CloudFront. Your Auto Scaling group is set to trigger a scale up event at 60% CPU utilization; you use an Amazon RDS extra-large DB instance with 10.000 Provisioned IOPS its CPU utilization is around 80%. While freeable memory is in the 2 GB range. Web analytics reports show that the average load time of your web pages is around 1.5 to 2 seconds, but your SEO consultant wants to bring down the average load time to under 0.5 seconds. How would you improve page load times for your users? (Choose 3 answers) [PROFESSIONAL]
1. Lower the scale up trigger of your Auto Scaling group to 30% so it scales more aggressively.
2. Add an Amazon ElastiCache caching layer to your application for storing sessions and frequent DB queries
3. Configure Amazon CloudFront dynamic content support to enable caching of re-usable content from your site
4. Switch Amazon RDS database to the high memory extra-large Instance type
5. Set up a second installation in another region, and use the Amazon Route 53 latency-based routing feature to select the right region.
A read only news reporting site with a combined web and application tier and a database tier that receives large and unpredictable traffic demands must be able to respond to these traffic fluctuations automatically. What AWS services should be used meet these requirements? [PROFESSIONAL]
1. Stateless instances for the web and application tier synchronized using ElastiCache Memcached in an autoscaling group monitored with CloudWatch. And RDS with read replicas.
2. Stateful instances for the web and application tier in an autoscaling group monitored with CloudWatch and RDS with read replicas
3. Stateful instances for the web and application tier in an autoscaling group monitored with CloudWatch. And multi-AZ RDS
4. Stateless instances for the web and application tier synchronized using ElastiCache Memcached in an autoscaling group monitored with CloudWatch and multi-AZ RDS
You have a periodic Image analysis application that gets some files as input, analyzes them and for each file writes some data in output to a ten file. The number of files in input per day is high and concentrated in a few hours of the day. Currently you have a server on EC2 with a large EBS volume that hosts the input data and the results it takes almost 20 hours per day to complete the process. What services could be used to reduce the elaboration time and improve the availability of the solution? [PROFESSIONAL]
1. S3 to store I/O files. SQS to distribute elaboration commands to a group of hosts working in parallel. Auto scaling to dynamically size the group of hosts depending on the length of the SQS queue
2. EBS with Provisioned IOPS (PIOPS) to store I/O files. SNS to distribute elaboration commands to a group of hosts working in parallel Auto Scaling to dynamically size the group of hosts depending on the number of SNS notifications
3. S3 to store I/O files, SNS to distribute evaporation commands to a group of hosts working in parallel. Auto scaling to dynamically size the group of hosts depending on the number of SNS notifications
4. EBS with Provisioned IOPS (PIOPS) to store I/O files SQS to distribute elaboration commands to a group of hosts working in parallel Auto Scaling to dynamically size the group to hosts depending on the length of the SQS queue.
A 3-tier e-commerce web application is current deployed on-premises and will be migrated to AWS for greater scalability and elasticity. The web server currently shares read-only data using a network distributed file system The app server tier uses a clustering mechanism for discovery and shared session state that depends on IP multicast The database tier uses shared-storage clustering to provide database fail over capability, and uses several read slaves for scaling. Data on all servers and the distributed file system directory is backed up weekly to off-site tapes. Which AWS storage and database architecture meets the requirements of the application? [PROFESSIONAL]
1. Web servers store read-only data in S3, and copy from S3 to root volume at boot time. App servers share state using a combination of DynamoDB and IP unicast. Database use RDS with multi-AZ deployment and one or more Read Replicas. Backup web and app servers backed up weekly via AMIs, database backed up via DB snapshots.
2. Web servers store read-only data in S3, and copy from S3 to root volume at boot time. App servers share state using a combination of DynamoDB and IP unicast. Database use RDS with multi-AZ deployment and one or more Read replicas. Backup web servers app servers, and database backed up weekly to Glacier using snapshots (Snapshots to Glacier don’t work directly with EBS snapshots)
3. Web servers store read-only data in S3 and copy from S3 to root volume at boot time. App servers share state using a combination of DynamoDB and IP unicast. Database use RDS with multi-AZ deployment. Backup web and app servers backed up weekly via AMIs. Database backed up via DB snapshots (Need Read replicas for scalability and elasticity)
4. Web servers, store read-only data in an EC2 NFS server, mount to each web server at boot time App servers share state using a combination of DynamoDB and IP multicast Database use RDS with multi-AZ deployment and one or more Read Replicas Backup web and app servers backed up weekly via AMIs database backed up via DB snapshots (IP multicast not available in AWS)
Our company is getting ready to do a major public announcement of a social media site on AWS. The website is running on EC2 instances deployed across multiple Availability Zones with a Multi-AZ RDS MySQL Extra Large DB Instance. The site performs a high number of small reads and writes per second and relies on an eventual consistency model. After comprehensive tests you discover that there is read contention on RDS MySQL. Which are the best approaches to meet these requirements? (Choose 2 answers) [PROFESSIONAL]
1. Deploy ElastiCache in-memory cache running in each availability zone
2. Implement sharding to distribute load to multiple RDS MySQL instances (Would distribute read write both, focus is on read contention)
3. Increase the RDS MySQL Instance size and Implement provisioned IOPS (Would distribute read write both, focus is on read contention)
4. Add an RDS MySQL read replica in each availability zone
Run 2-tier app with the following: an ELB, three web app server on EC2, and 1 MySQL RDS db. With grown load, db queries take longer and longer and slow down the overall response time for user request. What Options could speed up performance? (Choose 3) [PROFESSIONAL]
1. Create an RDS read-replica and redirect half of the database read request to it
2. Cache database queries in Amazon ElastiCache
3. Setup RDS in multi-availability zone mode.
4. Shard the database and distribute loads between shards.
5. Use Amazon CloudFront to cache database queries.
You have a web application leveraging an Elastic Load Balancer (ELB) In front of the web servers deployed using an Auto Scaling Group Your database is running on Relational Database Service (RDS) The application serves out technical articles and responses to them in general there are more views of an article than there are responses to the article. On occasion, an article on the site becomes extremely popular resulting in significant traffic Increases that causes the site to go down. What could you do to help alleviate the pressure on the infrastructure while maintaining availability during these events? Choose 3 answers [PROFESSIONAL]
1. Leverage CloudFront for the delivery of the articles.
2. Add RDS read-replicas for the read traffic going to your relational database
3. Leverage ElastiCache for caching the most frequently used data.
4. Use SQS to queue up the requests for the technical posts and deliver them out of the queue (does not process and would not be real time)
5. Use Route53 health checks to fail over to an S3 bucket for an error page (more of an error handling then availability)

Your website is serving on-demand training videos to your workforce. Videos are uploaded monthly in high resolution MP4 format. Your workforce is distributed globally often on the move and using company-provided tablets that require the HTTP Live Streaming (HLS) protocol to watch a video. Your company has no video transcoding expertise and it required you might need to pay for a consultant. How do you implement the most cost-efficient architecture without compromising high availability and quality of video delivery? [PROFESSIONAL]
1. AWS Elemental MediaConvert to transcode original high-resolution MP4 videos to HLS. S3 to host videos with Lifecycle Management to archive original files to S3 Glacier Flexible Retrieval after a few days. CloudFront to serve HLS transcoded videos from S3. (MediaConvert replaces Elastic Transcoder (EOL Nov 2025) for high quality transcoding. S3 to host videos cheaply, Glacier for archives and CloudFront for high availability)
2. A video transcoding pipeline running on EC2 using SQS to distribute tasks and Auto Scaling to adjust the number of nodes depending on the length of the queue S3 to host videos with Lifecycle Management to archive all files to Glacier after a few days CloudFront to serve HLS transcoding videos from Glacier
3. AWS Elemental MediaConvert to transcode original high-resolution MP4 videos to HLS EBS volumes to host videos and EBS snapshots to incrementally backup original files after a few days. CloudFront to serve HLS transcoded videos from EC2.
4. A video transcoding pipeline running on EC2 using SQS to distribute tasks and Auto Scaling to adjust the number of nodes depending on the length of the queue. EBS volumes to host videos and EBS snapshots to incrementally backup original files after a few days. CloudFront to serve HLS transcoded videos from EC2
Note: Original question referenced Elastic Transcoder which reached End of Life on November 13, 2025. AWS Elemental MediaConvert is the replacement service. The architectural pattern remains the same.
To meet regulatory requirements, a pharmaceuticals company needs to archive data after a drug trial test is concluded. Each drug trial test may generate up to several thousands of files, with compressed file sizes ranging from 1 byte to 100MB. Once archived, data rarely needs to be restored, and on the rare occasion when restoration is needed, the company has 24 hours to restore specific files that match certain metadata. Searches must be possible by numeric file ID, drug name, participant names, date ranges, and other metadata. Which is the most cost-effective architectural approach that can meet the requirements? [PROFESSIONAL]
1. Store individual files in Amazon S3 Glacier, using the file ID as the archive name. When restoring data, query the Amazon Glacier vault for files matching the search criteria. (Individual files are expensive and does not allow searching by participant names etc)
2. Store individual files in Amazon S3, and store search metadata in an Amazon Relational Database Service (RDS) multi-AZ database. Create a lifecycle rule to move the data to Amazon S3 Glacier after a certain number of days. When restoring data, query the Amazon RDS database for files matching the search criteria, and move the files matching the search criteria back to S3 Standard class. (As the data is not needed can be stored to Glacier directly and the data need not be moved back to S3 standard)
3. Store individual files in Amazon S3 Glacier, and store the search metadata in an Amazon RDS multi-AZ database. When restoring data, query the Amazon RDS database for files matching the search criteria, and retrieve the archive name that matches the file ID returned from the database query. (Individual files and Multi-AZ is expensive)
4. First, compress and then concatenate all files for a completed drug trial test into a single Amazon S3 Glacier archive. Store the associated byte ranges for the compressed files along with other search metadata in an Amazon RDS database with regular snapshotting. When restoring data, query the database for files that match the search criteria, and create restored files from the retrieved byte ranges.
5. Store individual compressed files and search metadata in Amazon Simple Storage Service (S3). Create a lifecycle rule to move the data to Amazon S3 Glacier, after a certain number of days. When restoring data, query the Amazon S3 bucket for files matching the search criteria, and retrieve the file to S3 reduced redundancy in order to move it back to S3 Standard class. (Once the data is moved from S3 to Glacier the metadata is lost, as Glacier does not have metadata and must be maintained externally. Also S3 Reduced Redundancy Storage is no longer recommended.)
A document storage company is deploying their application to AWS and changing their business model to support both free tier and premium tier users. The premium tier users will be allowed to store up to 200GB of data and free tier customers will be allowed to store only 5GB. The customer expects that billions of files will be stored. All users need to be alerted when approaching 75 percent quota utilization and again at 90 percent quota use. To support the free tier and premium tier users, how should they architect their application? [PROFESSIONAL]
1. The company should utilize an Amazon Simple Workflow Service activity worker that updates the users data counter in Amazon DynamoDB. The activity worker will use Simple Email Service to send an email if the counter increases above the appropriate thresholds. (Note: For new implementations, AWS Step Functions with DynamoDB and SES would be the modern approach)
2. The company should deploy an Amazon Relational Database Service relational database with a store objects table that has a row for each stored object along with size of each object. The upload server will query the aggregate consumption of the user in question by first determining the files stored by the user, and then querying the stored objects table for respective file sizes and send an email via Amazon Simple Email Service if the thresholds are breached.
3. The company should write both the content length and the username of the files owner as S3 metadata for the object. They should then create a file watcher to iterate over each object and aggregate the size for each user and send a notification via Amazon Simple Queue Service to an emailing service if the storage threshold is exceeded.
4. The company should create two separated Amazon Simple Storage Service buckets one for data storage for free tier users and another for data storage for premium tier users. An Amazon Simple Workflow Service activity worker will query all objects for a given user based on the bucket the data is stored
Your company has been contracted to develop and operate a website that tracks NBA basketball statistics. Statistical data to derive reports like “best game-winning shots from the regular season” and more frequently built reports like “top shots of the game” need to be stored durably for repeated lookup. Leveraging social media techniques, NBA fans submit and vote on new report types from the existing data set so the system needs to accommodate variability in data queries and new static reports must be generated and posted daily. Initial research in the design phase indicates that there will be over 3 million report queries on game day by end users and other applications that use this application as a data source. It is expected that this system will gain in popularity over time and reach peaks of 10-15 million report queries of the system on game days. Select the answer that will allow your application to best meet these requirements while minimizing costs. [PROFESSIONAL]
1. Launch a multi-AZ MySQL Amazon Relational Database Service (RDS) Read Replica connected to your multi AZ master database and generate reports by querying the Read Replica. Perform a daily table cleanup.
2. Implement a multi-AZ MySQL RDS deployment and have the application generate reports from Amazon ElastiCache for in-memory performance results. Utilize the default expire parameter for items in the cache.
3. Generate reports from a multi-AZ MySQL Amazon RDS deployment and have an offline task put reports in Amazon Simple Storage Service (S3) and use CloudFront to cache the content. Use a TTL to expire objects daily. (Offline task with S3 storage and CloudFront cache)
4. Query a multi-AZ MySQL RDS instance and store the results in a DynamoDB table. Generate reports from the DynamoDB table. Remove stale tables daily.

References

Storage Options Whitepaper – Storage Gateway – Import/Export – AWS Certification

May 26, 2016 ~ Last updated on : June 24, 2026 ~ jayendrapatil ~ 8 Comments

AWS Storage Options – Storage Gateway & Import/Export (Snow Family)

Provides a brief summary for the Ideal Use cases and Anti-Patterns for AWS Storage Gateway and AWS Snow Family (formerly Import/Export) storage options.

📌 2025/2026 Update: This post has been significantly updated to reflect current AWS service terminology and availability:

Storage Gateway now offers four gateway types: S3 File Gateway, FSx File Gateway (no longer available to new customers), Volume Gateway, and Tape Gateway.
AWS Import/Export was replaced by AWS Snowball (2015), and the Snow Family is being significantly reduced — Snowmobile retired (March 2024), Snowcone discontinued (Nov 2024), and Snowball Edge restricted to existing customers only (Nov 2025).
AWS Data Transfer Terminal is the new physical data transfer alternative for new customers.

AWS Storage Gateway

AWS Storage Gateway is a hybrid cloud storage service that provides on-premises access to virtually unlimited cloud storage.
Storage Gateway provides a standard set of storage protocols such as iSCSI, SMB, and NFS, which allow you to use AWS storage without rewriting existing applications.
It provides low-latency performance by maintaining frequently accessed data on-premises while securely storing all data encrypted in AWS.
For disaster recovery scenarios, it can serve as a cloud-hosted solution, together with EC2, that mirrors the entire production environment.
Storage Gateway can be deployed as a virtual machine (VM) within VMware, Hyper-V, or Linux KVM virtual environments, or as an Amazon EC2 instance within a VPC, or on a dedicated hardware appliance.
Storage Gateway offers four gateway types:
- Amazon S3 File Gateway
  - Presents Amazon S3 objects as files accessible via NFS or SMB protocols.
  - On-premises applications read and write files to the gateway, which stores them as objects in S3 buckets.
  - Maintains a local cache of recently accessed files for low-latency retrieval.
  - Supports S3 Standard, S3 Intelligent-Tiering, S3 Standard-IA, and S3 One Zone-IA storage classes.
- Amazon FSx File Gateway
  - Provides low-latency, on-premises access to fully managed Windows file shares in Amazon FSx for Windows File Server.
  - ⚠️ No longer available to new customers as of October 28, 2024. Existing customers can continue using the service. AWS recommends connecting directly to Amazon FSx for Windows File Server as an alternative.
- Volume Gateway
  - Presents cloud-backed iSCSI block storage volumes to on-premises applications.
  - Operates in two modes:
    - Cached volumes (formerly Gateway-cached volumes) – Primary data stored in S3, with frequently accessed data retained locally in a cache. Minimizes the need to scale on-premises storage while providing low-latency access to frequently accessed data.
    - Stored volumes (formerly Gateway-stored volumes) – Complete primary data stored locally, while asynchronously backing up data to AWS as EBS snapshots. Provides low-latency access to entire datasets with durable, off-site backups.
  - Cached volumes can be up to 32 TiB; stored volumes can be up to 16 TiB.
- Tape Gateway
  - Presents a virtual tape library (VTL) interface to existing backup applications using iSCSI.
  - Virtual tapes are stored in S3, and archived tapes are stored in S3 Glacier or S3 Glacier Deep Archive.
  - Compatible with leading backup software (Veeam, Veritas NetBackup, Commvault, etc.).

Ideal Usage Patterns

AWS Storage Gateway use cases include
- Corporate file sharing and collaboration (S3 File Gateway)
- Enabling on-premises backup applications to store primary backups in S3 (Volume Gateway, Tape Gateway)
- Disaster recovery with cloud-backed storage
- Data mirroring to cloud-based compute resources
- Tiering on-premises data to cloud storage

Anti-Patterns

Database storage
- For Database backup or storage, EC2 instances using EBS volumes or managed database services (RDS, Aurora) are better choices.

Performance

Performance depends on the speed and configuration of underlying local disks, network bandwidth between the iSCSI initiator and gateway VM, amount of local storage allocated to the gateway VM, and bandwidth between the gateway VM and AWS.
For cached volumes, providing enough local cache storage for recently accessed data is important for low-latency read access.
Storage Gateway efficiently uses Internet bandwidth by only uploading incremental changes (data that has changed), minimizing data sent over the Internet.
AWS Direct Connect can be used to increase throughput and reduce network costs by establishing a dedicated network connection between the on-premises gateway and AWS.
Storage Gateway supports bandwidth throttling to control the amount of network bandwidth used for data transfer.

Durability and Availability

AWS Storage Gateway durably stores on-premises application data by uploading it to S3.
S3 stores data across multiple facilities and on multiple devices within each facility, providing 99.999999999% (11 9s) durability.
S3 performs regular, systematic data integrity checks and is built to be automatically self-healing.

Cost Model

AWS Storage Gateway pricing components vary by gateway type:
- S3 File Gateway: Storage (S3 pricing), requests, and data transfer
- Volume Gateway: Volume storage usage (per GB per month), snapshot storage, and data transfer
- Tape Gateway: Virtual tape storage, virtual tape shelf (archive) storage, and data retrieval
- All types: No charge for the gateway software; charges apply for AWS storage used

Scalability and Elasticity

Storage Gateway stores data in Amazon S3, which provides virtually unlimited scalability and elasticity.
A single gateway supports up to 32 cached volumes (max 1,024 TiB total) or 32 stored volumes (max 512 TiB total).

Interfaces

AWS Management Console, AWS CLI, and AWS SDKs can be used to manage Storage Gateway.
Gateway VM images are available for VMware ESXi, Microsoft Hyper-V, and Linux KVM.
Hardware appliance option is available for environments without virtualization infrastructure.
Volumes are attached as iSCSI devices; file shares are accessible via NFS or SMB protocols.

AL2 to AL2023 Migration (2025-2026)

AWS is transitioning Storage Gateway appliance OS from Amazon Linux 2 to AL2023.
This migration enables new hybrid cloud storage features and maintains optimal performance and security.
Gateway versions 1.x.x cannot be updated to 2.x.x — a new gateway deployment is required.

AWS Import/Export (Replaced by AWS Snow Family)

⚠️ SERVICE DEPRECATED & SIGNIFICANTLY REDUCED

AWS Import/Export (the original ship-your-own-disk service) was fully replaced by AWS Snowball in 2015.

AWS Snow Family Current Status (2025):

AWS Snowmobile — Retired (March 2024). Service is no longer available.
AWS Snowcone (HDD & SSD) — Discontinued November 12, 2024. Support for existing customers ended November 12, 2025.
Previous generation Snowball devices (80TB Storage Optimized, 52 vCPU Compute Optimized, Compute Optimized with GPU) — Discontinued November 12, 2024.
AWS Snowball Edge (latest generation) — Only available to existing customers as of November 7, 2025. New customers cannot order Snowball Edge devices.

Alternatives for New Customers:

AWS DataSync — For online data transfers when network bandwidth is available
AWS Data Transfer Terminal — For secure physical data transfers at AWS-managed locations
AWS Partner solutions — Third-party data migration services

AWS Snow Family (Current Service)

AWS Snow Family provides secure, rugged devices for edge computing and offline data transfer.
AWS Snowball Edge is the primary device, available in two options:
- Snowball Edge Storage Optimized (210 TB) — Primary device for large data transfers with high storage capacity and faster transfer speeds.
- Snowball Edge Compute Optimized — For edge computing workloads requiring local processing power.
Data encryption is performed on the device itself, enabling higher data throughput and shorter transfer times.
Supports Amazon S3 compatible storage on the device for edge workloads.

AWS Data Transfer Terminal (New Alternative)

AWS Data Transfer Terminal is a secure, physical location where customers bring their storage devices to transfer data using a high-throughput connection directly to AWS.
Provides direct network connectivity to AWS services including Amazon S3, Amazon EFS, and others.
Available in multiple locations globally (New York, Los Angeles, San Francisco Bay Area, Munich, and more being added).
Customers reserve a date and time, visit the location, connect their storage devices, and transfer data.
No device shipping required — eliminates wait times associated with Snowball device logistics.
Ideal for customers who need frequent, high-volume physical data transfers.

Original AWS Import/Export (Historical Reference)

AWS Import/Export (now fully replaced) accelerated moving large amounts of data into and out of AWS using portable storage devices for transport.
AWS transferred data directly onto and off of storage devices using Amazon’s high-speed internal network, bypassing the Internet.
Supported importing into EBS snapshots, S3 buckets, and Glacier vaults, and exporting data from S3.

Ideal Usage Patterns (Snow Family / Data Transfer Terminal)

Ideal for transferring large amounts of data in and out of the AWS cloud, especially in cases where transferring the data over the Internet would be too slow (a week or more) or too costly.
Common use cases include:
- Initial data migration to AWS (large-scale lift-and-shift)
- Content distribution or regular data interchange with customers/business associates
- Transfer to Amazon S3 for off-site backup and archival storage
- Edge computing in disconnected environments (Snowball Edge only)
- Disaster recovery with rapid data retrieval

Anti-Patterns

Data that is more easily transferred over the Internet in less than one week — use AWS DataSync or AWS Transfer Family instead.
For new customers needing physical data transfer (post Nov 2025) — use AWS Data Transfer Terminal or AWS Partner solutions.

Performance

Snowball Edge Storage Optimized 210TB devices provide up to 100 Gbps network connectivity.
Data transfer rate is bounded by the read/write speed of the storage device and network connectivity.
AWS Data Transfer Terminal provides high-throughput direct connections for fast transfers.

Durability and Availability

Durability and availability characteristics of the target storage (S3, EBS, EFS) apply after data has been imported.
Snowball Edge devices use 256-bit encryption and tamper-resistant enclosures for data security during transit.

Cost Model

AWS Snowball Edge pricing includes: service fee per job, shipping costs, and per-day charges for device use beyond included days.
Standard Amazon S3, EBS, and other storage pricing applies for the destination storage.
AWS Data Transfer Terminal pricing is based on reservation time and data transferred.

Scalability and Elasticity

Multiple Snowball Edge devices can be used in parallel for petabyte-scale transfers.
Large Data Migration Manager available in the AWS Console for managing multi-device migration projects.
For Amazon S3, individual objects may range up to 5 terabytes in size.
Aggregate total amount of data that can be imported is virtually unlimited.

Interfaces

AWS Snowball is managed through the AWS Management Console (OpsHub), AWS CLI, and SDKs.
AWS OpsHub provides a graphical interface for managing Snow devices.
AWS Data Transfer Terminal is managed through the AWS Management Console for reservations.

AWS Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

You are working with a customer who has 10 TB of archival data that they want to migrate to Amazon Glacier. The customer has a 1-Mbps connection to the Internet. Which service or feature provides the fastest method of getting the data into Amazon Glacier?
1. Amazon Glacier multipart upload
2. AWS Storage Gateway
3. VM Import/Export
4. AWS Import/Export (Now: AWS Snowball)
Note: This question uses legacy service names. AWS Import/Export has been replaced by AWS Snowball Edge. As of Nov 2025, Snowball Edge is only available to existing customers — new customers should use AWS Data Transfer Terminal.
A company needs to provide on-premises applications with low-latency access to frequently used data while storing the complete dataset in AWS for disaster recovery. Which Storage Gateway configuration is most appropriate?
1. S3 File Gateway with local cache
2. Volume Gateway in cached mode
3. Volume Gateway in stored mode
4. Tape Gateway
Answer: C. Volume Gateway in stored mode keeps the complete primary data locally for low-latency access to the entire dataset, while asynchronously backing up data to AWS as EBS snapshots for disaster recovery.
A company wants to minimize on-premises storage costs while maintaining low-latency access to frequently accessed data. The full dataset is several hundred terabytes. Which Storage Gateway solution is most suitable?
1. S3 File Gateway
2. Volume Gateway in cached mode
3. Volume Gateway in stored mode
4. Tape Gateway
Answer: B. Volume Gateway in cached mode stores primary data in S3 while retaining frequently accessed data locally in a cache, minimizing on-premises storage requirements.
A new customer needs to physically transfer 50 TB of data to AWS but cannot use AWS Snowball Edge (no longer available to new customers as of November 2025). What is the recommended alternative?
1. AWS Snowcone
2. AWS Snowmobile
3. AWS Data Transfer Terminal
4. AWS Import/Export with customer-owned devices
Answer: C. AWS Data Transfer Terminal provides secure, physical locations where customers can bring their storage devices and transfer data using high-throughput connections to AWS. Snowcone and Snowmobile are discontinued, and Import/Export was replaced by Snowball in 2015.
Which AWS Storage Gateway type would you recommend for a company that wants to replace their physical tape backup infrastructure with cloud-based backup while keeping existing backup software?
1. S3 File Gateway
2. Volume Gateway
3. Tape Gateway
4. FSx File Gateway
Answer: C. Tape Gateway presents a virtual tape library (VTL) interface compatible with existing backup applications, allowing companies to replace physical tape infrastructure while maintaining their current backup workflows.

AWS Storage Options – RDS, DynamoDB & Database on EC2

May 25, 2016 ~ Last updated on : June 24, 2026 ~ jayendrapatil ~ 17 Comments

AWS Storage Options Whitepaper with RDS, DynamoDB & Database on EC2 Cont.

Provides a brief summary for the Ideal Use cases, Anti-Patterns and other factors for Amazon RDS, DynamoDB & Databases on EC2 storage options

📝 Note: The original AWS Storage Services Overview whitepaper has been archived by AWS. This content is maintained and updated with current service capabilities for certification study reference. See the AWS Overview – Storage Services for the latest official guidance.

Amazon RDS

RDS is a fully managed relational database service supporting Amazon Aurora, MySQL, PostgreSQL, MariaDB, Oracle, and Microsoft SQL Server database engines
RDS eliminates much of the administrative overhead associated with launching, managing, and scaling your own relational database on Amazon EC2 or in another computing environment.
RDS provides automated patching, backups, Multi-AZ high availability, read replicas, and monitoring out of the box.

Key Features (Updated 2024-2026)

Multi-AZ DB Cluster Deployments – deploys a primary and two readable standby instances across three AZs, providing faster failover (~35 seconds), improved commit latency via semisynchronous replication, and readable standbys (MySQL/PostgreSQL)
Blue/Green Deployments – creates a fully managed staging (green) environment that mirrors production (blue), allowing safe testing of major version upgrades and schema changes with minimal downtime switchover
RDS Proxy – a fully managed database proxy that pools and shares connections, improving application scalability, resilience to database failovers, and security via IAM/Secrets Manager authentication
RDS Data API – available for Aurora (Serverless v2 and provisioned), enables secure HTTP-based SQL execution without managing database drivers or connections
Aurora Serverless v2 – auto-scales database capacity in fine-grained increments based on application demand, scaling to hundreds of thousands of transactions per second
Aurora DSQL (launched Dec 2024) – a serverless, distributed SQL database with active-active multi-Region high availability, PostgreSQL-compatible, with strong consistency across all Regional endpoints
RDS Custom – provides OS and database access for Oracle and SQL Server when full administrative control is needed (Note: RDS Custom for Oracle reaches end of support March 31, 2027)
Graviton (ARM) Instances – M7g, R7g, M7i, R7i instance types offering better price-performance
gp3 Storage – baseline of 3,000 IOPS and 125 MiB/s, scalable up to 80,000 IOPS and 2,000 MiB/s per volume (up to 64 TiB per volume)
Extended Support – up to 3 additional years of critical security and bug fixes beyond community end-of-life for major engine versions

Ideal Usage Patterns

RDS is a great solution for cloud-based fully-managed relational database
RDS is also optimal for new applications with structured data that requires more sophisticated querying and joining capabilities than that provided by Amazon’s NoSQL database offering, DynamoDB.
RDS provides full compatibility with the databases supported and direct access to native database engines, code and libraries and is ideal for existing applications that rely on these databases
Applications requiring zero-downtime upgrades can leverage Blue/Green Deployments for safe major version changes
Serverless and event-driven applications benefit from RDS Proxy and Aurora Serverless v2 for connection management and auto-scaling

Anti-Patterns

Index and query-focused data
- If the applications don’t require advanced features such as joins and complex transactions and is more oriented toward indexing and querying data, DynamoDB would be more appropriate for this needs
Numerous BLOBs
- If the application makes heavy use of files (audio files, videos, images, etc), it is a better choice to use S3 to store the objects instead of database engines Blob feature and use RDS or DynamoDB only to save the metadata
Automated scalability
- RDS provides vertical scaling (scale up) and limited horizontal scale-out via read replicas. For fully-automated serverless scaling, consider Aurora Serverless v2 or DynamoDB.
Complete control
- RDS does not provide full OS-level admin access.
- If the application requires complete OS-level control, consider RDS Custom (for Oracle/SQL Server) or a self-managed database on EC2.
Other database platforms
- RDS supports Aurora, MySQL, PostgreSQL, MariaDB, Oracle, and SQL Server.
- If any other database platform (such as IBM DB2, Informix, or Sybase) is needed, it should be deployed on a self-managed database on an EC2 instance.

Performance

RDS offers multiple storage types optimized for different workloads:
- gp3 (General Purpose SSD) – baseline 3,000 IOPS, scalable up to 80,000 IOPS and 2,000 MiB/s throughput, up to 64 TiB per volume
- io1/io2 (Provisioned IOPS SSD) – designed for I/O-intensive transactional workloads, up to 256,000 IOPS
Multi-AZ DB Cluster deployments provide improved write commit latency through optimized semisynchronous replication
Performance Insights provides a dashboard to monitor database load and identify bottlenecks
RDS Optimized Reads/Writes (Aurora) provide up to 2x faster query processing and 6x higher write throughput

Durability and Availability

RDS leverages Amazon EBS volumes as its data store
RDS provides database backups, for enhanced durability, which are replicated across multiple AZ’s
- Automated backups
  - RDS automatically performs a full daily backup during the specified backup window, and captures DB transaction logs (up to 35-day retention)
- User initiated backups (DB Snapshots)
  - User can initiate manual snapshots at any time; they are retained until explicitly deleted
Multi-AZ DB Instance – synchronously replicates data to a standby in another AZ with automatic failover (typically 60-120 seconds)
Multi-AZ DB Cluster – maintains a primary and two readable standbys across three AZs with faster failover (~35 seconds) and transaction log-based replication
RDS provides a DNS endpoint; in case of failure on the primary, it automatically fails over to the standby instance
RDS Read Replicas provide asynchronous replication for read scaling and can be promoted for disaster recovery (including cross-Region replicas)

Cost Model

RDS offers a tiered pricing structure based on instance size, deployment type (Single-AZ/Multi-AZ Instance/Multi-AZ Cluster), and AWS Region
Pricing components: DB instance hours, provisioned storage (per GB-month), I/O requests (for io1/io2), additional backup storage, and data transfer
Reserved Instances provide significant discounts (up to 69%) for 1-year or 3-year commitments
Aurora Serverless v2 charges per Aurora Capacity Unit (ACU) consumed per second

Scalability and Elasticity

RDS resources can be scaled in several dimensions: storage size, IOPS, instance compute capacity, and number of read replicas
Storage Auto Scaling automatically increases storage when approaching capacity limits
Aurora Auto Scaling automatically adjusts the number of Aurora Replicas based on demand
Aurora Serverless v2 scales compute capacity automatically in fine-grained increments (0.5 ACU) from minimum to maximum configured capacity
Read Replicas (up to 15 for Aurora, 5 for other engines) enable read scaling across AZs and Regions
Aurora Limitless Database provides horizontal write scaling by automatically sharding data across multiple writer instances

Interfaces

RDS APIs, AWS CLI, and the AWS Management Console provide management interfaces for creating, modifying, and managing DB instances
RDS Data API (Aurora) provides a secure HTTP endpoint for running SQL statements without managing database connections or drivers
Once a database is created, RDS provides a DNS endpoint for the database which can be used to connect using standard database drivers
Endpoint does not change over the lifetime of the instance, even during failover in Multi-AZ configurations
RDS Proxy endpoints provide connection pooling and improved failover handling for applications

Amazon DynamoDB

Amazon DynamoDB is a fully managed, serverless NoSQL database service that delivers single-digit millisecond performance at any scale.
DynamoDB offers zero infrastructure management, zero downtime maintenance, and automatic scaling to accommodate any workload demand.
DynamoDB provides both eventually-consistent reads (by default) and strongly-consistent reads (optional), as well as ACID transactions (TransactWriteItems, TransactGetItems) for coordinated operations across multiple items and tables.
Amazon DynamoDB handles data as follows:
- DynamoDB stores structured data in tables, indexed by primary key, and allows low-latency read and write access to items.
- DynamoDB supports rich data types: Scalar (String, Number, Binary, Boolean, Null), Document (List, Map), and Set (String Set, Number Set, Binary Set)
- Tables do not have a fixed schema, so each data item can have a different number of attributes.
- Primary key can either be a single-attribute partition key (hash key) or a composite partition key + sort key (hash-range key).
- Local Secondary Indexes (LSI) – alternate sort key on the same partition key (defined at table creation)
- Global Secondary Indexes (GSI) – alternate partition key and optional sort key, can be added/modified anytime

Key Features (Updated 2024-2026)

On-Demand Capacity Mode – pay-per-request pricing with no capacity planning; automatically scales to accommodate workload demand. 50% price reduction effective November 2024.
Global Tables – fully managed, multi-Region, multi-active replication with two consistency modes:
- Multi-Region Eventual Consistency (MREC) – default mode, typically sub-second replication
- Multi-Region Strong Consistency (MRSC) – GA 2025, provides zero RPO with strongly consistent reads/writes across all Regions
DynamoDB Accelerator (DAX) – fully managed, in-memory cache providing microsecond read latency for read-heavy workloads
Standard-IA Table Class – lower storage cost option (up to 60% cheaper storage) for infrequently accessed data
PartiQL – SQL-compatible query language for DynamoDB, enabling familiar SELECT, INSERT, UPDATE, DELETE syntax
Zero-ETL Integrations – seamless data replication to Amazon Redshift, OpenSearch Service, and SageMaker Lakehouse without building ETL pipelines
S3 Import/Export – bulk import data from S3 and export table data to S3 in DynamoDB JSON or Amazon Ion format
Point-in-Time Recovery (PITR) – continuous backups with per-second granularity, restorable to any point within a configurable 1-35 day window
Encryption at Rest – enabled by default using AWS owned keys, with options for AWS managed key or customer managed KMS key
DynamoDB Streams / Kinesis Data Streams – capture item-level changes for event-driven architectures, real-time analytics, and cross-Region replication

Ideal Usage Patterns

DynamoDB is ideal for applications that need a flexible NoSQL database with low read and write latencies, and the ability to scale storage and throughput up or down as needed without code changes or downtime.
Use cases requiring a highly available and scalable database e.g., mobile apps, gaming, digital ad serving, live voting, sensor networks, log ingestion, access control, metadata storage for S3 objects, e-commerce shopping carts, web session management, and serverless applications
Event-driven architectures leveraging DynamoDB Streams to trigger Lambda functions or downstream processing
Global applications requiring multi-Region active-active deployments with Global Tables

Anti-Patterns

Structured data with Join and/or Complex Transactions
- If the application uses structured data and requires complex joins, multi-table transactions, or relationship infrastructure provided by traditional relational databases, RDS or Aurora would be a better choice. (Note: DynamoDB does support ACID transactions within and across tables, but not SQL-style joins.)
Large Blob data
- DynamoDB has a maximum item size of 400 KB. For large media files, videos, etc., use S3 for storage and DynamoDB for metadata.
Large Objects with Low I/O rate
- DynamoDB uses SSD drives and is optimized for high I/O workloads. If the application stores very large amounts of infrequently accessed data, S3 or the Standard-IA table class might be more cost-effective.
Complex ad-hoc analytics
- For complex analytical queries across large datasets, use DynamoDB zero-ETL integration with Amazon Redshift or export to S3 for Athena queries.

Performance

SSDs and limited indexing on attributes provides single-digit millisecond latency at any scale.
Provisioned capacity mode – define exact read/write capacity units for predictable workloads with optional auto-scaling
On-demand capacity mode – automatically accommodates up to double previous peak traffic instantly, with further scaling within minutes
DAX (DynamoDB Accelerator) – in-memory cache providing microsecond response times for eventually consistent reads
DynamoDB automatically partitions data to maintain consistent performance as tables grow.

Durability and Availability

DynamoDB automatically and synchronously replicates data across three AZs in a Region for high availability and data protection against facility failures.
Global Tables provide multi-Region replication with 99.999% availability SLA (multi-Region)
PITR provides continuous backups for point-in-time restore capability
On-demand backups allow full table backups at any time without performance impact

Cost Model

DynamoDB offers two capacity modes:
- On-Demand – pay per read/write request (no capacity planning). 50% price reduction since November 2024.
- Provisioned – pay per hour for provisioned Read/Write Capacity Units (with optional auto-scaling and Reserved Capacity discounts)
Additional pricing components: data storage (per GB-month), Global Tables replication (per replicated write unit), backups, data export/import, DynamoDB Streams reads, and data transfer
Standard-IA table class reduces storage costs by up to 60% with higher per-request costs (ideal when storage dominates)
Global Tables pricing reduced by up to 67% (November 2024)

Scalability and Elasticity

DynamoDB is both highly-scalable and elastic with virtually unlimited storage and throughput capacity.
Data is automatically partitioned and re-partitioned as needed, while SSD storage provides predictable low-latency at any scale.
On-Demand mode provides truly serverless scaling with no capacity planning required
Provisioned mode with Auto Scaling automatically adjusts capacity based on utilization targets
DynamoDB can handle more than 10 trillion requests per day and support peaks of more than 100 million requests per second.

Interfaces

DynamoDB provides a low-level REST API, AWS SDKs in multiple languages, and the AWS CLI
PartiQL – SQL-compatible query language supported via Console, CLI, SDKs, and NoSQL Workbench
APIs provide both management and data interfaces: table management (create, list, delete, describe) and item operations (Get, Put, Update, Delete, Query, Scan, BatchWrite, BatchGet, TransactWrite, TransactGet)
DynamoDB Streams API – captures ordered sequence of item-level changes
NoSQL Workbench – visual tool for data modeling, visualization, and query development

Databases on EC2

EC2 with EBS volumes allows hosting a self-managed relational database with full OS and database administrative control
Ready-to-use, prebuilt AMIs are available from leading database vendors in AWS Marketplace
Note: With the introduction of RDS Custom (for Oracle and SQL Server), the need for self-managed databases on EC2 has decreased for these specific engines

Ideal Usage Patterns

Self-managed database on EC2 is ideal for applications that require a specific database platform not supported by Amazon RDS e.g., IBM DB2, Informix, Sybase, or specialized configurations
Applications requiring maximum level of administrative control and configurability including custom storage engines, specialized replication, or kernel-level tuning not available in RDS or RDS Custom
Database versions or configurations not yet supported by RDS

Anti-Patterns

Index and query-focused data
- If the applications don’t require advanced features such as joins and complex transactions and is more oriented toward indexing and querying data, DynamoDB would be more appropriate
Numerous BLOBs
- If the application makes heavy use of files (audio files, videos, images), use S3 for object storage and RDS or DynamoDB for metadata
Managed service available
- If RDS supports the database engine and provides the needed features, RDS is preferred for reduced operational overhead. For Oracle/SQL Server requiring OS access, consider RDS Custom before self-managing on EC2.
Automated scalability
- Self-managed databases require manual or scripted scaling operations. If fully-automated scaling is needed, DynamoDB, Aurora Serverless, or RDS with Auto Scaling may be better choices.

Performance

Performance depends on the EC2 instance type, number/configuration of EBS volumes, and database tuning
Scale up by choosing larger instance types (compute-optimized, memory-optimized) or Graviton-based instances for better price-performance
For storage: use gp3 or io2 Block Express EBS volumes. Use software RAID 0 (disk striping) across multiple EBS volumes for aggregated IOPS and bandwidth
Instance store (NVMe SSDs) can provide very high IOPS for temporary/cache workloads

Durability & Availability

Uses EBS for storage with same durability guarantees (99.999% availability for io2 Block Express)
Enhanced durability via EBS snapshots, cross-Region replication, or third-party backup tools (e.g., Oracle RMAN) to S3
High availability requires manual configuration: Multi-AZ replication, clustering solutions, or automated failover scripts

Cost Model

Cost determined by: EC2 instance size/type, EBS volume size and IOPS, data transfer, and any third-party database licensing costs
Savings Plans and Reserved Instances reduce EC2 compute costs for steady-state workloads
BYOL (Bring Your Own License) options available for Oracle, SQL Server, and other commercial databases

Scalability & Elasticity

Leverage EC2 scalability by creating AMIs for horizontal scaling, though database-specific clustering/sharding is required
Vertical scaling requires instance stop/start (brief downtime without clustering)
Auto Scaling groups can manage read replica fleets for read-heavy workloads

Comparison: RDS vs DynamoDB vs Database on EC2

Factor	Amazon RDS	DynamoDB	Database on EC2
Type	Managed Relational (SQL)	Managed NoSQL (Key-Value/Document)	Self-Managed Relational
Scaling	Vertical + Read Replicas; Aurora Serverless for auto-scaling	Fully automatic (on-demand) or provisioned with auto-scaling	Manual vertical/horizontal
Availability	Multi-AZ (2 or 3 AZs), automated failover	Automatic across 3 AZs; Global Tables for multi-Region	Manual HA configuration required
Admin Overhead	Low (managed patching, backups)	None (serverless)	High (full responsibility)
Use Case	Complex queries, joins, ACID transactions	High-speed key-value access, flexible schema, massive scale	Unsupported engines, full OS control

AWS Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

Which of the following are use cases for Amazon DynamoDB? Choose 3 answers
1. Storing BLOB data.
2. Managing web sessions
3. Storing JSON documents
4. Storing metadata for Amazon S3 objects
5. Running relational joins and complex updates.
6. Storing large amounts of infrequently accessed data.
A client application requires operating system privileges on a relational database server. What is an appropriate configuration for highly available database architecture?
1. A standalone Amazon EC2 instance
2. Amazon RDS in a Multi-AZ configuration
3. Amazon EC2 instances in a replication configuration utilizing a single Availability Zone
4. Amazon EC2 instances in a replication configuration utilizing two different Availability Zones
Note: With the introduction of RDS Custom, this question’s context has evolved. RDS Custom for SQL Server now supports Multi-AZ. However, for full OS-level control beyond what RDS Custom offers, EC2 remains the answer.
You are developing a new mobile application and are considering storing user preferences in AWS, which would provide a more uniform cross-device experience to users using multiple mobile devices to access the application. The preference data for each user is estimated to be 50KB in size. Additionally 5 million customers are expected to use the application on a regular basis. The solution needs to be cost-effective, highly available, scalable and secure, how would you design a solution to meet the above requirements?
1. Setup an RDS MySQL instance in 2 availability zones to store the user preference data. Deploy a public facing application on a server in front of the database to manage security and access credentials
2. Setup a DynamoDB table with an item for each user having the necessary attributes to hold the user preferences. The mobile application will query the user preferences directly from the DynamoDB table. Utilize STS. Web Identity Federation, and DynamoDB Fine Grained Access Control to authenticate and authorize access (DynamoDB provides high availability as it synchronously replicates data across three facilities within an AWS Region and scalability as it is designed to scale its provisioned throughput up or down while still remaining available. Also suitable for storing user preference data)
3. Setup an RDS MySQL instance with multiple read replicas in 2 availability zones to store the user preference data. The mobile application will query the user preferences from the read replicas. Leverage the MySQL user management and access privilege system to manage security and access credentials.
4. Store the user preference data in S3 Setup a DynamoDB table with an item for each user and an item attribute pointing to the user’ S3 object. The mobile application will retrieve the S3 URL from DynamoDB and then access the S3 object directly utilize STS, Web identity Federation, and S3 ACLs to authenticate and authorize access.
A customer is running an application in US-West (Northern California) region and wants to setup disaster recovery failover to the Asian Pacific (Singapore) region. The customer is interested in achieving a low Recovery Point Objective (RPO) for an Amazon RDS multi-AZ MySQL database instance. Which approach is best suited to this need?
1. Synchronous replication
2. Asynchronous replication (Cross-Region Read Replicas use asynchronous replication. Note: DynamoDB Global Tables with MRSC now offers zero RPO across Regions for NoSQL workloads.)
3. Route53 health checks
4. Copying of RDS incremental snapshots
You are designing a file-sharing service. This service will have millions of files in it. Revenue for the service will come from fees based on how much storage a user is using. You also want to store metadata on each file, such as title, description and whether the object is public or private. How do you achieve all of these goals in a way that is economical and can scale to millions of users?
1. Store all files in Amazon Simple Storage Service (S3). Create a bucket for each user. Store metadata in the filename of each object, and access it with LIST commands against the S3 API.
2. Store all files in Amazon S3. Create Amazon DynamoDB tables for the corresponding key-value pairs on the associated metadata, when objects are uploaded.
3. Create a striped set of 4000 IOPS Elastic Load Balancing volumes to store the data. Use a database running in Amazon Relational Database Service (RDS) to store the metadata.
4. Create a striped set of 4000 IOPS Elastic Load Balancing volumes to store the data. Create Amazon DynamoDB tables for the corresponding key-value pairs on the associated metadata, when objects are uploaded.
Company ABCD has recently launched an online commerce site for bicycles on AWS. They have a “Product” DynamoDB table that stores details for each bicycle, such as, manufacturer, color, price, quantity and size to display in the online store. Due to customer demand, they want to include an image for each bicycle along with the existing details. Which approach below provides the least impact to provisioned throughput on the “Product” table?
1. Serialize the image and store it in multiple DynamoDB tables
2. Create an “Images” DynamoDB table to store the Image with a foreign key constraint to the “Product” table
3. Add an image data type to the “Product” table to store the images in binary format
4. Store the images in Amazon S3 and add an S3 URL pointer to the “Product” table item for each image
A company needs to store IoT sensor data from thousands of devices. The data is small (under 1KB per reading), arrives at unpredictable rates, and must be queryable by device ID and timestamp with single-digit millisecond latency. Which database solution is most appropriate?
1. Amazon RDS MySQL with Multi-AZ
2. Self-managed Cassandra on EC2
3. Amazon DynamoDB with on-demand capacity mode (DynamoDB with on-demand mode is ideal: handles unpredictable workloads without capacity planning, supports composite key (device ID as partition key, timestamp as sort key), and provides single-digit millisecond latency)
4. Amazon Aurora Serverless
A company wants to perform real-time analytics on data stored in their DynamoDB table without impacting production read/write performance. Which approach is the most operationally efficient?
1. Create a read replica of the DynamoDB table
2. Export data to S3 on a scheduled basis and query with Athena
3. Use DynamoDB zero-ETL integration with Amazon Redshift (Zero-ETL integration provides near real-time data replication to Redshift without building custom pipelines or impacting DynamoDB performance)
4. Use DynamoDB Streams with a Lambda function to copy data to RDS

AWS Encrypting Data at Rest – Whitepaper – Certification

April 10, 2016 ~ Last updated on : June 24, 2026 ~ jayendrapatil ~ 11 Comments

Encrypting Data at Rest

🔄 Major Updates (2023-2026)

Amazon S3 now automatically encrypts ALL new objects with SSE-S3 by default (Jan 2023). SSE-C disabled by default on new buckets (April 2026).
Amazon S3 DSSE-KMS — new dual-layer server-side encryption option (June 2023).
AWS KMS — now FIPS 140-3 Level 3 validated. Supports flexible automatic key rotation (90 days to 7 years) and on-demand rotation (April 2024). Post-quantum cryptography support with ML-KEM and ML-DSA (2025-2026).
AWS CloudHSM — new hsm2m.medium instance type (Aug 2024) with FIPS 140-3 Level 3 certification and non-FIPS mode.
Amazon Aurora — encryption at rest enabled by default for all new clusters (Feb 2026).
Amazon EBS — supports encryption by default for all new volumes (opt-in per region), including boot volumes.
Amazon Glacier (standalone vault-based service) — stopped accepting new customers Dec 15, 2025. Use S3 Glacier storage classes instead.

AWS delivers a secure, scalable cloud computing platform with high availability, offering the flexibility for you to build a wide range of applications
AWS allows several options for encrypting data at rest, for additional layer of security, ranging from completely automated AWS encryption solution to manual client-side options
Encryption requires 3 things
- Data to encrypt
- Encryption keys
- Cryptographic algorithm method to encrypt the data
AWS provides different models for Securing data at rest on the following parameters
- Encryption method
  - Encryption algorithm selection involves evaluating security, performance, and compliance requirements specific to your application
- Key Management Infrastructure (KMI)
  - KMI enables managing & protecting the encryption keys from unauthorized access
  - KMI provides
    - Storage layer that protects plain text keys
    - Management layer that authorize key usage
Hardware Security Module (HSM)
- Common way to protect keys in a KMI is using HSM
- An HSM is a dedicated storage and data processing device that performs cryptographic operations using keys on the device.
- An HSM typically provides tamper evidence, or resistance, to protect keys from unauthorized use.
- A software-based authorization layer controls who can administer the HSM and which users or applications can use which keys in the HSM
AWS CloudHSM
- AWS CloudHSM appliance has both physical and logical tamper detection and response mechanisms that trigger zeroization of the appliance.
- Zeroization erases the HSM’s volatile memory where any keys in the process of being decrypted were stored and destroys the key that encrypts stored objects, effectively causing all keys on the HSM to be inaccessible and unrecoverable.
- AWS CloudHSM can be used to generate and store key material and can perform encryption and decryption operations.
- AWS CloudHSM, however, does not perform any key lifecycle management functions (e.g., access control policy, key rotation) and needs a compatible KMI.
- KMI can be deployed either on-premises or within Amazon EC2 and can communicate to the AWS CloudHSM instance securely over SSL to help protect data and encryption keys.
- Update (Aug 2024): AWS CloudHSM launched a new hsm2m.medium instance type with FIPS 140-3 Level 3 certification, non-FIPS mode option, increased key storage (16,666 keys), and mTLS support. The previous hsm1.medium type should be migrated to the new instance type.
- AWS CloudHSM clusters are backed by HSMs certified at FIPS 140-3 Level 3 (previously FIPS 140-2 Level 2/3).
AWS Key Management Service (KMS)
- AWS KMS is a managed encryption service that allows you to provision and use keys to encrypt data in AWS services and your applications.
- Master keys (now called KMS keys), after creation, are designed to never be exported from the service.
- AWS KMS gives you centralized control over who can access your KMS keys to encrypt and decrypt data, and it gives you the ability to audit this access.
- Data can be sent into the KMS to be encrypted or decrypted under a specific KMS key under your account.
- AWS KMS is natively integrated with other AWS services (for e.g. Amazon EBS, Amazon S3, Amazon RDS, and Amazon Redshift) and AWS SDKs to simplify encryption of your data within those services or custom applications.
- AWS KMS provides global availability, low latency, and a high level of durability for your keys.
- AWS KMS HSMs are now validated at FIPS 140-3 Security Level 3 (upgraded from FIPS 140-2 Level 2 in 2023).
- Key Rotation (2024 Update):
  - Customizable automatic rotation period from 90 days to 7 years (2560 days), previously fixed at 1 year.
  - On-demand key rotation available for immediate rotation of customer managed symmetric encryption keys.
  - Key rotation history tracking available via console and API.
- External Key Store (XKS): Allows you to store and use encryption keys in an HSM or key manager outside AWS, while still using KMS APIs. Useful for regulatory requirements mandating key storage outside cloud provider infrastructure.
- Post-Quantum Cryptography (2025-2026):
  - ML-KEM (Module-Lattice Key-Encapsulation Mechanism) support for post-quantum TLS connections to KMS.
  - ML-DSA (Module-Lattice Digital Signature Algorithm) support for quantum-resistant digital signatures (June 2025).
  - CRYSTALS-Kyber support will be removed in 2026 in favor of ML-KEM.
- Key Store Options:
  - Default KMS key store (FIPS 140-3 Level 3 HSMs managed by AWS)
  - CloudHSM key store (custom key store backed by your CloudHSM cluster)
  - External key store (XKS — keys stored outside AWS)

Encryption Models in AWS

Encryption models in AWS depends on how you/AWS provides the encryption method and the KMI

You control the encryption method and the entire KMI
You control the encryption method, AWS provides the storage component of the KMI, and you provide the management layer of the KMI.
AWS controls the encryption method and the entire KMI.

Model A: You control the encryption method and the entire KMI

You use your own KMI to generate, store, and manage access to keys as well as control all encryption methods in your applications
Proper storage, management, and use of keys to ensure the confidentiality, integrity, and availability of your data is your responsibility
AWS has no access to your keys and cannot perform encryption or decryption on your behalf.
Amazon S3
- Encryption of the data is done before the object is sent to AWS S3
- Encryption of the data can be done using any encryption method and the encrypted data can be uploaded using the PUT request in the Amazon S3 API
- Key used to encrypt the data needs to be stored securely in your KMI
- To decrypt this data, the encrypted object can be downloaded from Amazon S3 using the GET request in the Amazon S3 API and then decrypted using the key in your KMI
- AWS provides Client-side encryption handling, where you can provide your key to the AWS S3 encryption client which will encrypt and decrypt the data on your behalf. However, AWS never has access to the keys or the unencrypted data
Amazon EBS
- Amazon Elastic Block Store (Amazon EBS) provides block-level storage volumes for use with Amazon EC2 instances. Amazon EBS volumes are network-attached, and persist independently from the life of an instance.
- Because Amazon EBS volumes are presented to an instance as a block device, you can leverage most standard encryption tools for file system-level or block-level encryption
- Block level encryption
  - Block level encryption tools usually operate below the file system layer using kernel space device drivers to perform encryption and decryption of data.
  - These tools are useful when you want all data written to a volume to be encrypted regardless of what directory the data is stored in
- File System level encryption
  - File system level encryption usually works by stacking an encrypted file system on top of an existing file system.
  - This method is typically used to encrypt a specific directory
- These solutions require you to provide keys, either manually or from your KMI.
- ~~Both block-level and file system-level encryption tools can only be used to encrypt data volumes that are not Amazon EBS boot volumes~~
- Update: Amazon EBS now supports native encryption for both boot and data volumes through its built-in encryption feature integrated with AWS KMS. The limitation of third-party tools not supporting boot volume encryption is less relevant as EBS native encryption is the recommended approach.
AWS Storage Gateway
- AWS Storage Gateway is a service connecting an on-premises software appliance with Amazon S3. Data on disk volumes attached to the AWS Storage Gateway will be automatically uploaded to Amazon S3 based on policy
- Encryption of the source data on the disk volumes can be either done before writing to the disk or using block level encryption on the iSCSI endpoint that AWS Storage Gateway exposes to encrypt all data on the disk volume.
Amazon RDS
- Amazon RDS doesn’t expose the attached disk it uses for data storage, transparent disk encryption using techniques for EBS section cannot be applied.
- However, individual fields data can be encrypted before the data is written to RDS and decrypted after reading it.
- Update: Amazon RDS now supports native KMS-based encryption at rest for all database engines. All new Amazon Aurora clusters are encrypted by default (Feb 2026).

Model B: You control the encryption method, AWS provides the KMI storage component, and you provide the KMI management layer

Model B is similar to Model A where the encryption method is managed by you
Model B differs in the approach to Model A where the keys are maintained in AWS CloudHSM rather than the on-premise key storage system
Only you have access to the cryptographic partitions within the dedicated HSM to use the keys
Update: With the new hsm2m.medium instance type (Aug 2024), CloudHSM provides FIPS 140-3 Level 3 certification, non-FIPS mode option, and increased key storage capacity (16,666 keys).

Model C: AWS controls the encryption method and the entire KMI

AWS provides and manages the server-side encryption of your data, transparently managing the encryption method and the keys.
AWS KMS and other services that encrypt your data directly use a method called envelope encryption to provide a balance between performance and security.
Envelope Encryption method
- A master key (KMS key) is defined either by you or AWS
- A data key (data encryption key) is generated by the AWS service at the time when data encryption is requested
- Data key is used to encrypt your data.
- Data key is then encrypted with a key-encrypting key (KMS key) unique to the service storing your data.
- Encrypted data key and the encrypted data are then stored by the AWS storage service on your behalf.
KMS keys used to encrypt data keys are stored and managed separately from the data and the data keys
For decryption of the data, the process is reversed. Encrypted data key is decrypted using the KMS key; the data key is then used to decrypt your data
Authorized use of encryption keys is done automatically and is securely managed by AWS.
Because unauthorized access to those keys could lead to the disclosure of your data, AWS has built systems and processes with strong access controls that minimize the chance of unauthorized access and had these systems verified by third-party audits to achieve security certifications including SOC 1, 2, and 3, PCI-DSS, and FedRAMP.
Amazon S3
- Important (Jan 2023): Amazon S3 now automatically encrypts ALL new objects with SSE-S3 as the base level of encryption. No action required — encryption is applied by default at no additional cost.
- SSE-S3
  - AWS encrypts each object using a unique data key
  - Data key is encrypted with a periodically rotated master key managed by S3
  - Amazon S3 server-side encryption uses 256-bit Advanced Encryption Standard (AES) keys for both object and master keys
  - This is now the default encryption for all S3 objects
- SSE-KMS
  - KMS keys are defined and managed in KMS for your account
  - Object Encryption
    - When an object is uploaded, a request is sent to KMS to create an object key.
    - KMS generates a unique object key and encrypts it using the KMS key; KMS then returns this encrypted object key along with the plaintext object key to Amazon S3.
    - Amazon S3 web server encrypts your object using the plaintext object key and stores the now encrypted object (with the encrypted object key) and deletes the plaintext object key from memory.
  - Object Decryption
    - To retrieve the encrypted object, Amazon S3 sends the encrypted object key to AWS KMS.
    - AWS KMS decrypts the object key using the correct KMS key and returns the decrypted (plaintext) object key to S3.
    - Amazon S3 decrypts the encrypted object, with the plaintext object key, and returns it to you.
- DSSE-KMS (Dual-Layer Server-Side Encryption — New June 2023)
  - Applies two independent layers of encryption to objects using AES-256-GCM algorithm
  - Each layer uses a different implementation of AES-256-GCM for defense-in-depth
  - Both layers use KMS keys for key management
  - Designed to meet compliance requirements (e.g., NSA CNSSP 15) that mandate dual-layer encryption
  - Can be configured as bucket default encryption or specified per-object
- SSE-C
  - Amazon S3 is provided an encryption key, while uploading the object
  - Encryption key is used by Amazon S3 to encrypt your data using AES-256
  - After object encryption, Amazon S3 deletes the encryption key
  - For downloading, you need to provide the same encryption key, which AWS matches, decrypts and returns the object
  - Update (April 2026): SSE-C is now disabled by default on all new S3 general purpose buckets. Existing buckets without SSE-C objects will also have SSE-C disabled. Must be explicitly enabled via bucket settings if needed.
- S3 Bucket-Level Encryption Enforcement (Nov 2025): New setting to standardize encryption types (SSE-S3 or SSE-KMS only) for all write requests to a bucket.
Amazon EBS
- When Amazon EBS volume is created, you can choose the KMS key to be used for encrypting the volume
- Encryption by Default: You can enable EBS encryption by default per-region, so all newly created EBS volumes (including boot volumes) are automatically encrypted with the default KMS key or a specified key.
- Volume encryption
  - Amazon EC2 server sends an authenticated request to AWS KMS to create a volume key.
  - AWS KMS generates this volume key, encrypts it using the KMS key, and returns the plaintext volume key and the encrypted volume key to the Amazon EC2 server.
  - Plaintext volume key is stored in memory to encrypt and decrypt all data going to and from your attached EBS volume.
- Volume decryption
  - When the encrypted volume (or any encrypted snapshots derived from that volume) needs to be re-attached to an instance, a call is made to AWS KMS to decrypt the encrypted volume key.
  - AWS KMS decrypts this encrypted volume key with the correct KMS key and returns the decrypted volume key to Amazon EC2.
Amazon S3 Glacier
- S3 Glacier provides encryption of the data, by default
- Before it’s written to disk, data is always automatically encrypted using 256-bit AES keys unique to the service that are stored in separate systems under AWS control
- S3 Glacier storage classes include: S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval (formerly S3 Glacier), and S3 Glacier Deep Archive
- Note: The original standalone vault-based Amazon Glacier service stopped accepting new customers on December 15, 2025. Use S3 Glacier storage classes instead.
AWS Storage Gateway
- AWS Storage Gateway transfers your data to AWS over SSL
- AWS Storage Gateway stores data encrypted at rest in Amazon S3 or S3 Glacier using their respective server side encryption schemes.
Amazon RDS – Oracle
- Oracle Advanced Security option for Oracle on Amazon RDS can be used to leverage the native Transparent Data Encryption (TDE) and Native Network Encryption (NNE) features
- Oracle encryption module creates data and key-encrypting keys to encrypt the database
- Key-encrypting keys specific to your Oracle instance on Amazon RDS are themselves encrypted by a periodically rotated 256-bit AES master key.
- Master key is unique to the Amazon RDS service and is stored in separate systems under AWS control
- Update: Amazon RDS also supports native KMS-based encryption at the storage layer (EBS-level encryption) as an alternative to Oracle TDE.
Amazon RDS – SQL Server
- Transparent Data Encryption (TDE) can be provisioned for Microsoft SQL Server on Amazon RDS.
- SQL Server encryption module creates data and key-encrypting keys to encrypt the database.
- Key-encrypting keys specific to your SQL Server instance on Amazon RDS are themselves encrypted by a periodically rotated, regional 256-bit AES master key
- Master key is unique to the Amazon RDS service and is stored in separate systems under AWS control
- Update (Oct 2025): Amazon RDS for SQL Server now supports encrypting native backups using SSE-KMS.
Amazon Aurora (New – Feb 2026)
- All new Aurora database clusters created on or after February 18, 2026 are encrypted at rest by default using AES-256 encryption
- Uses AWS owned keys if no custom encryption is specified
- Encryption is transparent with no performance impact
- Existing unencrypted clusters are unaffected but can be migrated to encrypted clusters
- Supports customer managed KMS keys for additional control

Sample Exam Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

How can you secure data at rest on an EBS volume?
1. Encrypt the volume using the S3 server-side encryption service
2. Attach the volume to an instance using EC2’s SSL interface.
3. Create an IAM policy that restricts read and write access to the volume.
4. Write the data randomly instead of sequentially.
5. Use an encrypted file system on top of the EBS volume
Your company policies require encryption of sensitive data at rest. You are considering the possible options for protecting data while storing it at rest on an EBS data volume, attached to an EC2 instance. Which of these options would allow you to encrypt your data at rest? (Choose 3 answers)
1. Implement third party volume encryption tools
2. Do nothing as EBS volumes are encrypted by default
3. Encrypt data inside your applications before storing it on EBS
4. Encrypt data using native data encryption drivers at the file system level
5. Implement SSL/TLS for all services running on the server
A company is storing data on Amazon Simple Storage Service (S3). The company’s security policy mandates that data is encrypted at rest. Which of the following methods can achieve this? Choose 3 answers
1. Use Amazon S3 server-side encryption with AWS Key Management Service managed keys
2. Use Amazon S3 server-side encryption with customer-provided keys
3. Use Amazon S3 server-side encryption with EC2 key pair.
4. Use Amazon S3 bucket policies to restrict access to the data at rest.
5. Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key
6. Use SSL to encrypt the data while in transit to Amazon S3.
Which 2 services provide native encryption
1. Amazon EBS
2. Amazon S3 Glacier
3. Amazon Redshift (is optional)
4. Amazon RDS (is optional)
5. Amazon Storage Gateway
With which AWS services CloudHSM can be used (select 2)
1. S3
2. DynamoDb
3. RDS
4. ElastiCache
5. Amazon Redshift
A company needs to ensure all new objects uploaded to Amazon S3 are encrypted. What is the MOST operationally efficient approach? [Updated 2023+]
1. Create a bucket policy denying unencrypted uploads
2. No action needed — S3 automatically encrypts all new objects with SSE-S3 by default since January 2023
3. Enable default encryption on each bucket manually
4. Use AWS Config rules to detect unencrypted objects
A company requires FIPS 140-3 Level 3 validated key management. Which options meet this requirement? (Choose 2) [Updated 2024+]
1. AWS KMS default key store
2. AWS Secrets Manager
3. AWS CloudHSM with hsm2m.medium instance type
4. Amazon S3 SSE-S3 managed keys
5. AWS Certificate Manager
An organization needs to rotate KMS keys every 90 days for compliance. How can this be achieved? [New 2024]
1. Create a Lambda function to create new keys quarterly
2. This is not possible as KMS only supports annual rotation
3. Configure automatic key rotation with a custom period of 90 days using the rotation period setting
4. Use AWS Config to trigger manual key rotation
A regulated financial institution requires encryption keys to remain outside AWS infrastructure at all times. Which AWS KMS feature addresses this requirement? [New 2024]
1. AWS KMS custom key store with CloudHSM
2. AWS KMS imported key material (BYOK)
3. AWS KMS External Key Store (XKS)
4. AWS CloudHSM with on-premises HSM replication
Which Amazon S3 encryption option applies two independent layers of server-side encryption to objects? [New 2023]
1. SSE-S3 with bucket key
2. SSE-KMS with automatic key rotation
3. DSSE-KMS (Dual-Layer Server-Side Encryption with KMS)
4. SSE-C with two different customer keys

References

AWS DDoS Resiliency Best Practices Overview

March 23, 2016 ~ Last updated on : June 26, 2026 ~ jayendrapatil ~ 8 Comments

AWS DDoS Resiliency – Best Practices

📋 Whitepaper Update Notice

The original AWS DDoS Best Practices whitepaper (June 2015) has been updated multiple times, with the latest revision dated August 9, 2023. AWS now marks it as “historical reference.” The current AWS DDoS protection guidance is integrated into the AWS WAF, Shield, and Firewall Manager Developer Guide.

This post has been updated to reflect the modern AWS DDoS protection services including AWS Shield, AWS WAF v2, AWS Firewall Manager, and the new Anti-DDoS Managed Rule Group (2026).

Denial of Service (DoS) is an attack, carried out by a single attacker, which attempts to make a website or application unavailable to the end users.
Distributed Denial of Service (DDoS) is an attack, carried out by multiple attackers either controlled or compromised by a group of collaborators, which generates a flood of requests to the application making it unavailable to the legitimate end users.
DDoS attacks can be segregated by which layer of the OSI model they attack:
- Infrastructure layer attacks (Layer 3 and 4) — SYN/UDP floods, reflection attacks, amplification attacks
- Application layer attacks (Layer 6 and 7) — HTTP/S floods, DNS query floods, SSL/TLS abuse

AWS DDoS Protection Services

AWS Shield Standard — Free, automatic protection for all AWS customers against common infrastructure DDoS attacks (Layer 3/4)
AWS Shield Advanced — Paid managed DDoS protection with enhanced detection, always-on automatic mitigation, 24/7 access to Shield Response Team (SRT), cost protection, and application layer protections
AWS WAF — Web application firewall for application layer (Layer 7) protection with managed rule groups, rate-based rules, and bot control
AWS Firewall Manager — Centralized security policy management across multiple accounts and resources in AWS Organizations
AWS Shield Network Security Director (Preview, 2025) — Analyzes network resources, identifies configuration issues, and provides remediation recommendations for comprehensive DDoS posture

Mitigation Techniques

Minimize the Attack Surface Area

Reduce the attack surface by minimizing the different Internet entry points that allow access to your application
Strategy to minimize the Attack surface area:
- Reduce the number of necessary Internet entry points
- Don’t expose back-end servers
- Eliminate non-critical Internet entry points
- Separate end user traffic from management traffic
- Obfuscate necessary Internet entry points to the level that untrusted end users cannot access them
- Decouple Internet entry points to minimize the effects of attacks
Benefits:
- Minimizes the effective attack vectors and targets
- Less to monitor and protect
Strategy can be achieved using AWS Virtual Private Cloud (VPC):
- Defines a logically isolated virtual network within AWS
- Provides ability to create Public & Private Subnets to launch internet-facing and non-public-facing instances accordingly
- Provides NAT gateway allowing instances in private subnets to have internet access without Public IPs
- Allows creation of Bastion hosts (or use AWS Systems Manager Session Manager) for connecting to instances in private subnets
- Provides security groups for instances and NACLs for subnets to control and limit outbound and inbound traffic
- Supports VPC endpoints (Gateway and Interface) to access AWS services privately without traversing the internet

VPC Architecture

Be Ready to Scale to Absorb the Attack

DDoS attacks mainly aim to overload systems beyond their capacity, rendering them unusable
Scaling out Benefits:
- Helps build a resilient architecture
- Makes the attacker work harder
- Gives you time to think, analyze, and adapt
AWS services for scaling:
- Auto Scaling & Elastic Load Balancing
  - Horizontal scaling using Auto Scaling with ELB (ALB, NLB, or CLB)
  - Auto Scaling allows instances to be added and removed as demand changes
  - ELB distributes traffic across multiple EC2 instances while acting as a single point of contact
  - Auto Scaling automatically registers and deregisters EC2 instances with the ELB during scale-out and scale-in events
  - Application Load Balancer (ALB) integrates natively with AWS WAF for Layer 7 protection
  - Network Load Balancer (NLB) handles millions of requests per second with ultra-low latency for Layer 4 traffic
- EC2 Instance
  - Vertical scaling can be achieved by using appropriate EC2 instance types (e.g., EBS-optimized or ones with 25/100 Gbps network connectivity) to handle the load
- Enhanced Networking
  - Use instances with Enhanced Networking capabilities (ENA) for high packet-per-second performance, low latency networking, and improved scalability
- Amazon CloudFront
  - CloudFront is a CDN that acts as a proxy between end users and Origin servers, distributing content without sending all traffic to the Origin
  - Has inherent ability to mitigate both infrastructure and application layer DDoS attacks by dispersing traffic across multiple edge locations globally
  - AWS has multiple Internet connections for capacity and redundancy at each location, allowing isolation of attack traffic while serving legitimate end users
  - CloudFront filters to ensure only valid TCP connections and HTTP requests are processed, dropping invalid requests (commonly used in UDP & SYN floods, and slow reads)
  - CloudFront Security Dashboard (2023) provides unified CDN and security experience with one-click AWS WAF protection and built-in security monitoring
  - Integrates natively with AWS WAF and AWS Shield Advanced
- Amazon Route 53
  - DDoS attacks also target DNS — if DNS is unavailable, the application is effectively unavailable
  - AWS Route 53 is a highly available and scalable DNS service with capabilities to withstand DDoS attacks:
    - Shuffle Sharding — spreads DNS requests over numerous PoPs using independent sets of edge locations, providing multiple paths to your application
    - Anycast Routing — advertises the same IP address from multiple PoPs, increasing redundancy; if one endpoint is overwhelmed, traffic routes to others
- AWS Global Accelerator
  - Uses static anycast IP addresses as entry points to the AWS global network
  - Integrates with AWS Shield for DDoS mitigation at the edge, including a stateless SYN proxy that challenges new connections and only serves legitimate end users
  - Routes traffic over the AWS backbone network, away from the congested public internet
  - Provides fault isolation and deterministic routing for improved DDoS resiliency

Safeguard Exposed & Hard-to-Scale Resources

If entry points cannot be limited, additional measures to restrict access and protect those entry points without interrupting legitimate end user traffic
AWS services for protection:
- CloudFront
  - Restrict access using Geo Restriction and Origin Access Control (OAC)
  - With Geo Restriction, access can be restricted to whitelisted countries or blocked from blacklisted countries
  - Origin Access Control (OAC) replaces the legacy Origin Access Identity (OAI) — allows access to S3 origins only through CloudFront while denying direct access. OAC supports SSE-KMS, dynamic requests, and all S3 regions.
- Route 53
  - Alias Record sets and Private DNS make it easier to scale infrastructure and respond to DDoS attacks
  - Route 53 health checks enable automatic failover to healthy resources
- AWS WAF (Web Application Firewall)
  - AWS WAF is a fully managed service (not EC2-based) that filters web traffic using customizable rules
  - Integrates directly with CloudFront, ALB, API Gateway, AppSync, App Runner, Cognito, and Verified Access
  - Key capabilities:
    - Rate-based rules — automatically blocks IPs exceeding request thresholds
    - Managed Rule Groups — pre-built rules for OWASP Top 10, known bad inputs, SQL injection, XSS
    - Bot Control — managed bot detection and mitigation covering 650+ unique bots and AI agents
    - Fraud Control — Account Takeover Prevention (ATP) and Account Creation Fraud Prevention (ACFP)
    - Anti-DDoS Managed Rule Group (AWSManagedRulesAntiDDoSRuleSet) — launched March 2026 as the default L7 DDoS protection; establishes traffic baselines, detects anomalies within seconds, and mitigates HTTP floods automatically
    - AI Bot Management — AI Activity Dashboard (Feb 2026) for visibility into AI scrapers, tools, and agents; supports AI traffic monetization
    - Geo-match conditions, IP set rules, regex pattern sets
    - Custom response bodies and headers
  - No longer requires the “WAF sandwich” pattern — AWS WAF is now a native, managed Layer 7 service that does not require separate EC2 instances
- AWS Shield Advanced
  - Provides managed DDoS protection for CloudFront, Route 53, Global Accelerator, ELB, and EC2 Elastic IPs
  - Key features:
    - Always-on detection and automatic mitigation with sub-second time-to-mitigate
    - Application layer automatic mitigation — automatically deploys WAF rules during attacks
    - Shield Response Team (SRT) — 24/7 expert support during active DDoS events
    - Cost protection — credits for scaling charges incurred during DDoS attacks
    - DDoS visibility — real-time metrics, attack notifications, and forensic reports
    - Health-based detection — uses Route 53 health checks to improve detection accuracy and reduce false positives
    - Network Security Director (Preview, June 2025) — discovers resources, visualizes network topology, identifies security misconfigurations, and provides remediation recommendations using Amazon Q Developer
- AWS Firewall Manager
  - Centrally configure and manage AWS WAF rules, Shield Advanced protections, security groups, Network Firewall, and DNS Firewall policies across all accounts in AWS Organizations
  - Automatically applies security policies to new resources as they are created
  - Provides compliance monitoring and reporting

DDOS Resiliency - WAF Sandwich Architecture (Legacy Pattern)

Note: The WAF Sandwich pattern shown above is a legacy architecture. AWS WAF is now a fully managed service that integrates natively with ALB, CloudFront, API Gateway, and other services — no separate EC2-based WAF instances are needed.

Learn Normal Behavior

Understand the normal levels and patterns of traffic for your application and use that as a benchmark for identifying abnormal traffic or resource spikes
Benefits:
- Allows one to spot abnormalities
- Configure alarms with accurate thresholds
- Assists with generating forensic data
AWS services for tracking and detection:
- Amazon CloudWatch
  - Monitor infrastructure and applications running on AWS
  - Collect metrics, log files, and set alarms for when metrics pass predetermined thresholds
  - Shield Advanced publishes DDoS metrics: DDoSDetected, DDoSAttackBitsPerSecond, DDoSAttackPacketsPerSecond, DDoSAttackRequestsPerSecond
- VPC Flow Logs
  - Capture traffic to instances in a VPC to understand traffic patterns and detect anomalies
  - Can be published to CloudWatch Logs or S3 for analysis
- AWS WAF Logging & Metrics
  - Full logging of all evaluated requests to S3, CloudWatch Logs, or Kinesis Data Firehose
  - Real-time metrics in CloudWatch for blocked/allowed/counted requests
  - Traffic Overview Dashboard (2025) — near-real-time summaries including total requests, blocked requests, bot categories, CAPTCHA solve rates, and top matched rules
- AWS CloudTrail
  - Logs API calls for auditing configuration changes to WAF, Shield, and security groups

Create a Plan for Attacks

Have a plan in place before an attack, which ensures that:
- Architecture has been validated and techniques selected work for the infrastructure
- Costs for increased resiliency have been evaluated and the goals of your defense are understood
- Contact points have been identified
- Runbooks exist for DDoS incident response
AWS Shield Advanced SRT engagement — proactive or reactive engagement with DDoS experts
AWS Support — Business or Enterprise Support plans provide access to 24/7 support during attacks

DDoS-Resilient Reference Architecture

AWS recommends using the following services at the edge for maximum DDoS resiliency:

Edge Layer: Amazon CloudFront + AWS WAF + AWS Shield (Standard/Advanced) + Amazon Route 53
Network Layer: AWS Global Accelerator + Elastic Load Balancing (ALB/NLB) + VPC with NACLs and Security Groups
Application Layer: Auto Scaling groups + EC2 instances in multiple AZs
Management Layer: AWS Firewall Manager for centralized policy management across accounts

Key principle: Push traffic as far from the origin as possible using CloudFront, Global Accelerator, and Route 53 to leverage AWS’s globally distributed DDoS mitigation capacity (terabits scale).

AWS Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

You are designing a social media site and are considering how to mitigate distributed denial-of-service (DDoS) attacks. Which of the below are viable mitigation techniques? (Choose 3 answers)
1. Add multiple elastic network interfaces (ENIs) to each EC2 instance to increase the network bandwidth.
2. Use dedicated instances to ensure that each instance has the maximum performance possible.
3. Use an Amazon CloudFront distribution for both static and dynamic content.
4. Use an Elastic Load Balancer with auto scaling groups at the web app and Amazon Relational Database Service (RDS) tiers
5. Add alert Amazon CloudWatch to look for high Network in and CPU utilization.
6. Create processes and capabilities to quickly add and remove rules to the instance OS firewall.
You’ve been hired to enhance the overall security posture for a very large e-commerce site. They have a well architected multi-tier application running in a VPC that uses ELBs in front of both the web and the app tier with static assets served directly from S3. They are using a combination of RDS and DynamoDB for their dynamic data and then archiving nightly into S3 for further processing with EMR. They are concerned because they found questionable log entries and suspect someone is attempting to gain unauthorized access. Which approach provides a cost effective scalable mitigation to this kind of attack?
1. Recommend that they lease space at a DirectConnect partner location and establish a 1G DirectConnect connection to their VPC they would then establish Internet connectivity into their space, filter the traffic in hardware Web Application Firewall (WAF). And then pass the traffic through the DirectConnect connection into their application running in their VPC. (Not cost effective)
2. Add previously identified hostile source IPs as an explicit INBOUND DENY NACL to the web tier subnet. (does not protect against new source)
3. Add a WAF tier by creating a new ELB and an AutoScaling group of EC2 Instances running a host-based WAF. They would redirect Route 53 to resolve to the new WAF tier ELB. The WAF tier would then pass the traffic to the current web tier. The web tier Security Groups would be updated to only allow traffic from the WAF tier Security Group (Note: This describes the legacy “WAF sandwich” pattern. In modern AWS, you would simply enable AWS WAF on the existing ALB — no separate EC2 WAF tier is needed.)
4. Remove all but TLS 1.2 from the web tier ELB and enable Advanced Protocol Filtering This will enable the ELB itself to perform WAF functionality. (No advanced protocol filtering in ELB)
A company wants to protect its web application from Layer 7 DDoS attacks and common web exploits. The application uses Amazon CloudFront with an Application Load Balancer origin. Which combination of AWS services provides the MOST effective protection? (Choose 2 answers)
1. Enable AWS Shield Advanced on the CloudFront distribution and ALB with automatic application layer DDoS mitigation
2. Deploy AWS Network Firewall in front of the ALB
3. Associate an AWS WAF web ACL with rate-based rules and the Anti-DDoS Managed Rule Group on the CloudFront distribution
4. Use Security Groups on the ALB to block malicious IPs
5. Enable VPC Flow Logs and manually block attacking IPs
A security team needs to protect multiple AWS accounts’ web applications from DDoS attacks with consistent security policies. Which approach provides centralized management with automatic enforcement?
1. Manually configure AWS WAF rules on each account’s resources
2. Use AWS Firewall Manager to define WAF and Shield Advanced policies across the AWS Organization
3. Deploy third-party WAF appliances in each VPC
4. Use AWS Config rules to audit WAF configurations
Which AWS service provides automatic, always-on protection against common DDoS attacks at no additional cost for ALL AWS customers?
1. AWS WAF
2. AWS Shield Standard
3. AWS Shield Advanced
4. AWS Firewall Manager
A company is experiencing an active DDoS attack on their application behind CloudFront. They have AWS Shield Advanced enabled. Which features are available to help mitigate the attack? (Choose 3 answers)
1. 24/7 access to the AWS Shield Response Team (SRT)
2. Automatic VPC security group rule updates
3. Automatic application layer mitigation through managed WAF rules
4. Cost protection credits for scaling charges incurred during the attack
5. Automatic CloudFront distribution disablement

References

AWS Security – Whitepaper – Certification

March 10, 2016 ~ Last updated on : June 23, 2026 ~ jayendrapatil ~ 12 Comments

AWS Security – Whitepaper – Certification

📋 Important Update

The original AWS Security Whitepaper and the “Overview of Security Processes” whitepaper have been archived by AWS and marked as “historical reference only.” AWS now recommends the following current resources:

AWS Well-Architected Framework – Security Pillar (Updated November 2024)
Security, Identity, and Compliance on AWS
The Security Design of the AWS Nitro System (February 2024)

The core concepts below remain relevant for AWS certification exams, updated with current information.

Shared Security Responsibility Model

In the Shared Security Responsibility Model, AWS is responsible for securing the underlying infrastructure that supports the cloud (“Security of the Cloud”), and you’re responsible for anything you put on the cloud or connect to the cloud (“Security in the Cloud”).

AWS Security Shared Responsibility Model

AWS Security Responsibilities (“Security OF the Cloud”)

AWS is responsible for protecting the global infrastructure that runs all of the services offered in the AWS cloud. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services.
AWS provides several reports from third-party auditors who have verified their compliance with a variety of computer security standards and regulations (available via AWS Artifact)
AWS is responsible for the security configuration of its products that are considered managed services for e.g. RDS, DynamoDB, Lambda, Fargate
For Managed Services, AWS will handle basic security tasks like guest operating system (OS) and database patching, firewall configuration, and disaster recovery.
AWS infrastructure is built on the AWS Nitro System, which provides hardware-enforced isolation between instances and prohibits administrative access to customer data.

Customer Security Responsibilities (“Security IN the Cloud”)

AWS Infrastructure as a Service (IaaS) products for e.g. EC2, VPC, S3 are completely under your control and require you to perform all of the necessary security configuration and management tasks.
Management of the guest OS (including updates and security patches), any application software or utilities installed on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance
For managed services, you are responsible for configuring logical access controls for the resources, protecting account credentials, and encrypting data at rest and in transit as applicable
Identity and access management using AWS IAM, including MFA, password policies, IAM roles, and least-privilege access
Data encryption at rest and in transit using services like AWS KMS, ACM, and S3 encryption options

Shared Responsibility Model Variations

Infrastructure Services (EC2, EBS, VPC) – Customer manages OS, patching, firewall, encryption
Container Services (RDS, ECS, EMR) – AWS manages OS/platform, customer manages access, firewall rules, data encryption
Abstract Services (S3, DynamoDB, Lambda, SQS) – AWS manages platform entirely, customer manages data classification, IAM policies, and encryption options

AWS Global Infrastructure Security

AWS Nitro System

The AWS Nitro System is the underlying platform for all modern EC2 instances, providing hardware-based security isolation
Virtualization resources are offloaded to dedicated hardware and software, minimizing the attack surface
Nitro System’s security model is locked down and prohibits administrative access, eliminating the possibility of human error and tampering
Nitro Isolation Engine (GA 2025 on Graviton5) – The first commercially deployed formally verified hypervisor, providing mathematically proven isolation between virtual machines
Nitro Enclaves – Provides isolated compute environments for processing highly sensitive data (e.g., PII, healthcare, financial data) with no persistent storage, interactive access, or external networking

AWS Compliance Program

AWS supports 143 security standards and compliance certifications, including:

SOC 1, SOC 2, SOC 3 (covering 188 services as of Spring 2026)
ISO 9001, ISO 27001:2022, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 20000-1
CSA STAR CCM v4.0
FedRAMP (High, Moderate)
PCI DSS Level 1
FIPS 140-3 (upgraded from FIPS 140-2)
HIPAA
GDPR
NIST 800-171 (CMMC 2.0)
C5 (Cloud Computing Compliance Criteria Catalogue)
ITAR
MTCS Level 3
IRAP (Australia)

Compliance reports are available through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports and select online agreements.

Physical and Environmental Security

Storage Decommissioning

When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals.
AWS uses the techniques detailed in NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process.
All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.
Media that stored customer data is not removed from AWS control until it has been securely decommissioned.

Network Security

Amazon Corporate Segregation

AWS Production network is segregated from the Amazon Corporate network and requires a separate set of credentials for logical access.
Amazon Corporate network relies on user IDs, passwords, and Kerberos, while the AWS Production network requires SSH public-key authentication through a bastion host.

Network Monitoring & Protection

AWS utilizes a wide variety of automated monitoring systems to provide a high level of service performance and availability. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. The tools have the ability to set custom performance metrics thresholds for unusual activity.

AWS network provides protection against traditional network security issues:

DDoS – AWS provides AWS Shield Standard (free, automatic L3/L4 DDoS protection for all AWS customers) and AWS Shield Advanced (paid, advanced L3/L4/L7 DDoS protection with 24/7 DDoS Response Team support, DDoS attack flow logs, and cost protection). AWS WAF now includes an Anti-DDoS Managed Rule Group (2025) for automatic application-layer (L7) DDoS mitigation.
Man in the Middle attacks – AWS APIs are available via SSL/TLS-protected endpoints which provide server authentication. AWS Certificate Manager (ACM) provides free public SSL/TLS certificates.
IP spoofing – AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
Port Scanning – Unauthorized port scans by Amazon EC2 customers are a violation of the AWS Acceptable Use Policy. When unauthorized port scanning is detected by AWS, it is stopped and blocked.
Packet Sniffing by other tenants – It is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. The Nitro System hypervisor will not deliver any traffic to them that is not addressed to them. Even two virtual instances that are owned by the same customer located on the same physical host cannot listen to each other’s traffic.

Penetration Testing

Updated Policy: AWS no longer requires prior approval for penetration testing on the following permitted services:

Amazon EC2 instances, WAF, NAT Gateways, and Elastic Load Balancers
Amazon RDS
Amazon CloudFront
Amazon Aurora
Amazon API Gateway
AWS Lambda and Lambda@Edge functions
Amazon Lightsail
AWS Elastic Beanstalk

Prohibited Activities (still require AWS approval): DNS zone walking, DoS/DDoS attacks, port flooding, protocol flooding, request flooding.

Secure Design Principles

Secure software development best practices, which include formal design reviews by the AWS Security Team, threat modeling, and completion of a risk assessment
Static code analysis tools are run as a part of the standard build process
Recurring penetration testing performed by carefully selected industry experts
AWS Nitro System hardware-level isolation with formally verified components
Secure by Design principles documented in the 2024 AWS whitepaper “Building Security from the Ground Up”

AWS Account Security Features

AWS account security features include credentials for access control, HTTPS endpoints for encrypted data transmission, the creation of separate IAM user accounts, user activity logging for security monitoring, and Trusted Advisor security checks.

AWS Credentials

AWS IAM Credentials

Individual User Accounts

Do not use the Root account; instead create an IAM User for each user (or use AWS IAM Identity Center, formerly AWS SSO, for centralized workforce identity management) and provide them with a unique set of credentials with least-privilege access required to perform their job function.

Secure HTTPS Access Points

Use HTTPS (TLS 1.2 minimum, TLS 1.3 recommended), provided by all AWS services, for data transmissions, which uses public-key cryptography to prevent eavesdropping, tampering, and forgery.

Security Logs

Use Amazon CloudTrail which provides logs of all requests for AWS resources within the account and captures information about every API call to every AWS resource you use, including sign-in events. CloudTrail logs can be sent to Amazon S3, CloudWatch Logs, or analyzed through Amazon Security Lake.

Trusted Advisor Security Checks

Use AWS Trusted Advisor which inspects your AWS environment and provides recommendations for cost optimization, performance, security, fault tolerance, service limits, and operational excellence. Security checks include open ports, MFA on root account, exposed access keys, and IAM usage.

AWS Security Services

AWS provides a comprehensive suite of security services that complement the infrastructure security:

Threat Detection & Monitoring

Amazon GuardDuty – Intelligent threat detection service that continuously monitors for malicious activity and unauthorized behavior. Features Extended Threat Detection (2024) using AI/ML to identify attack sequences.
AWS Security Hub – Centralized security posture management with near real-time risk analytics (GA Dec 2025). Unifies GuardDuty, Inspector, Macie, and IAM Access Analyzer findings. Extended plan (2026) offers full-stack enterprise security.
Amazon Detective – Analyzes and visualizes security data to investigate potential security issues and identify root cause.
AWS CloudTrail – Records API calls and account activity for governance, compliance, operational auditing, and risk auditing.

Identity & Access Management

AWS IAM – Manage access to AWS services and resources securely with users, groups, roles, and policies.
AWS IAM Identity Center (formerly AWS SSO) – Centrally manage workforce access to multiple AWS accounts and applications.
IAM Access Analyzer – Identifies external access, internal access, and unused access to your resources. Generates least-privilege policies based on CloudTrail activity.

Data Protection

AWS KMS – Create and manage encryption keys for data encryption across AWS services.
AWS CloudHSM – Hardware security modules for regulatory compliance requirements.
Amazon Macie – Uses machine learning to discover and protect sensitive data in S3.
AWS Certificate Manager (ACM) – Provision, manage, and deploy public and private SSL/TLS certificates.

Network & Application Protection

AWS WAF – Web application firewall to protect against common web exploits with Anti-DDoS Managed Rule Group.
AWS Shield – Standard (free) and Advanced DDoS protection.
AWS Network Firewall – Managed network firewall for VPC traffic filtering.
AWS Firewall Manager – Centrally configure and manage firewall rules across accounts.

Compliance & Governance

AWS Artifact – On-demand access to AWS compliance reports (SOC, ISO, PCI, etc.).
AWS Config – Assess, audit, and evaluate configurations of AWS resources.
AWS Audit Manager – Continuously audit AWS usage to simplify risk and compliance assessment.

AWS Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

In the shared security model, AWS is responsible for which of the following security best practices (check all that apply) :
1. Penetration testing
2. Operating system account security management (User responsibility)
3. Threat modeling
4. User group access management (User responsibility)
5. Static code analysis (AWS development cycle responsibility)
You are running a web-application on AWS consisting of the following components an Elastic Load Balancer (ELB) an Auto-Scaling Group of EC2 instances running Linux/PHP/Apache, and Relational DataBase Service (RDS) MySQL. Which security measures fall into AWS’s responsibility?
1. Protect the EC2 instances against unsolicited access by enforcing the principle of least-privilege access (User responsibility)
2. Protect against IP spoofing or packet sniffing
3. Assure all communication between EC2 instances and ELB is encrypted (User responsibility)
4. Install latest security patches on ELB, RDS and EC2 instances (User responsibility for EC2 OS patches; AWS responsibility for ELB and RDS platform patches)
In AWS, which security aspects are the customer’s responsibility? Choose 4 answers
1. Controlling physical access to compute resources (AWS responsibility)
2. Patch management on the EC2 instances operating system
3. Encryption of EBS (Elastic Block Storage) volumes
4. Life-cycle management of IAM credentials
5. Decommissioning storage devices (AWS responsibility)
6. Security Group and ACL (Access Control List) settings
Per the AWS Acceptable Use Policy, penetration testing of EC2 instances:
1. May be performed by AWS, and will be performed by AWS upon customer request.
2. May be performed by AWS, and is periodically performed by AWS.
3. Are expressly prohibited under all circumstances.
4. May be performed by the customer on their own instances without prior authorization from AWS.
5. May be performed by the customer on their own instances, only if performed from EC2 instances
Note: AWS updated their penetration testing policy — prior approval is no longer required for permitted services including EC2, RDS, CloudFront, Aurora, API Gateway, Lambda, Lightsail, and Elastic Beanstalk. DoS/DDoS testing still requires approval.
Which is an operational process performed by AWS for data security?
1. AES-256 encryption of data stored on any shared storage device (User responsibility)
2. Decommissioning of storage devices using industry-standard practices
3. Background virus scans of EBS volumes and EBS snapshots (No virus scan is performed by AWS on User instances)
4. Replication of data across multiple AWS Regions (AWS does not replicate data across regions unless done by User)
5. Secure wiping of EBS data when an EBS volume is unmounted (data is not wiped off on EBS volume when unmounted and it can be remounted on other EC2 instance)
Which AWS service provides on-demand access to AWS compliance reports such as SOC and ISO certifications?
1. AWS Trusted Advisor
2. AWS Config
3. AWS Artifact
4. Amazon Inspector
Which of the following is a key security feature of the AWS Nitro System? (Select TWO)
1. No administrative access to customer data is possible
2. Automatic patching of customer operating systems
3. Hardware-enforced isolation between instances
4. Automatic encryption of all EBS volumes
5. Built-in antivirus protection
A company wants to centrally view and manage security findings across multiple AWS accounts. Which service should they use?
1. Amazon GuardDuty
2. AWS Security Hub
3. AWS CloudTrail
4. Amazon Detective
Which AWS service provides intelligent threat detection by continuously monitoring for malicious activity using AI/ML?
1. AWS WAF
2. AWS Shield
3. Amazon GuardDuty
4. AWS Config
Under the Shared Responsibility Model, for Amazon RDS, which of the following is the customer’s responsibility? (Select TWO)
1. Patching the database engine (AWS responsibility for managed services)
2. Managing database user accounts and permissions
3. Physical security of the underlying hardware (AWS responsibility)
4. Configuring Security Groups to control network access
5. Replacing failed storage hardware (AWS responsibility)