AWS Certified Advanced Networking – Speciality (ANS-C00) Exam Learning Path

AWS Certified Advanced Networking – Specialty (ANS-C01) Exam Learning Path

⚠️ EXAM RETIREMENT NOTICE

AWS Certified Advanced Networking – Specialty (ANS-C01) is being retired. The last day to take the exam is August 25, 2026.

Certifications earned prior to retirement will remain active for the standard three-year period. New AWS Certified Advanced Networking – Specialty certifications will not be issued after the retirement date.

Note: The original ANS-C00 version was retired in July 2022 and replaced by ANS-C01. This page has been updated to reflect the current ANS-C01 exam content.

I recently cleared the AWS Certified Advanced Networking – Specialty (ANS-C01), which was my first, en route my path to the AWS Specialty certifications. Frankly, I feel the time I gave for preparation was still not enough, but I just about managed to get through. So a word of caution, this exam is inline or tougher than the professional exam especially for the reason that the Networking concepts it covers are not something you can get your hands dirty with easily.

AWS Certified Advanced Networking – Specialty (ANS-C01) exam focuses on AWS Networking concepts. It validates the ability to

  • Design, implement, manage, and secure AWS and hybrid network architectures at scale
  • Design and maintain network architecture for all AWS services
  • Leverage tools to automate AWS networking tasks
  • Implement network security, compliance, and governance controls

ANS-C01 Exam Domains

The ANS-C01 exam is structured into four domains (compared to six in the retired ANS-C00):

  • Domain 1: Network Design (30%) — Design solutions incorporating edge networking, DNS, load balancing, routing, and connectivity
  • Domain 2: Network Implementation (26%) — Implement routing, connectivity, multi-Region/multi-account solutions
  • Domain 3: Network Management and Operation (20%) — Maintain, monitor, and troubleshoot network solutions
  • Domain 4: Network Security, Compliance, and Governance (24%) — Implement and maintain network security controls

Refer to AWS Certified Advanced Networking – Specialty (ANS-C01) Exam Guide

AWS Certified Advanced Networking – Specialty (ANS-C01) Exam Resources

AWS Certified Advanced Networking – Specialty (ANS-C01) Exam Summary

  • AWS Certified Advanced Networking – Specialty exam covers extensive Networking concepts like VPC, VPN, Direct Connect, Transit Gateway, Route 53, ALB, NLB, Gateway Load Balancer, AWS Network Firewall, VPC Lattice, and Cloud WAN.
  • One of the key tactics when solving questions is to read the question and use paper and pencil to draw a rough architecture and focus on the areas that you need to improve. You will be able to eliminate 2 answers for sure and then need to focus on only the other two.
  • Be sure to cover the following topics
    • Networking & Content Delivery
      • You should know everything in Networking.
      • Understand VPC in depth
      • AWS Transit Gateway
        • Understand Transit Gateway as the primary hub-and-spoke architecture for connecting VPCs and on-premises networks (replaces Transit VPC pattern)
        • Know Transit Gateway route tables, associations, propagations, and peering across Regions
        • Understand Transit Gateway Connect attachments for SD-WAN integration using GRE tunnels and BGP
        • Know Transit Gateway Network Manager for global network visibility
      • AWS Cloud WAN
        • Know AWS Cloud WAN for building and managing global WANs using a central dashboard and network policies
        • Understand Core Network, segments, attachments, and policies
        • Know when to use Cloud WAN vs Transit Gateway (Cloud WAN for multi-Region global networks; Transit Gateway for single-Region hub-and-spoke)
        • Understand Service Insertion for centralized inspection architectures
      • Amazon VPC Lattice
        • Know Amazon VPC Lattice as an application-layer networking service for service-to-service connectivity
        • Understand service networks, services, target groups, and listeners
        • Know that VPC Lattice works across VPCs and accounts without requiring VPC peering or Transit Gateway
        • Understand the difference: VPC Lattice (Layer 7 application networking) vs Transit Gateway (Layer 3 network connectivity)
      • AWS VPC IPAM
        • Know VPC IP Address Manager (IPAM) for planning, tracking, and monitoring IP addresses at scale
        • Understand IPAM pools, scopes, and allocations across multi-account environments
      • Virtual Private Network to establish connectivity between on-premises data center and AWS VPC
        • Understand Site-to-Site VPN, accelerated VPN (using Global Accelerator), and VPN over Direct Connect
        • Know CloudHub for connecting multiple VPN sites
      • Direct Connect to establish connectivity between on-premises data center and AWS VPC and Public Services
        • Make sure you understand Direct Connect in detail — without this you cannot clear the exam
        • Understand Direct Connect connections – Dedicated (1, 10, 100, 400 Gbps) and Hosted connections
        • Understand how to create a Direct Connect connection (hint: LOA-CFA provides the details for partner to connect to AWS Direct Connect location)
        • Understand virtual interfaces options – Private VIF for VPC resources, Public VIF for public resources, and Transit VIF for Transit Gateway
        • Understand Route Propagation, propagation priority, BGP connectivity, and BFD (Bidirectional Forwarding Detection)
        • Understand High Availability options: Second Direct Connect connection, VPN as backup, or LAG (Link Aggregation Group)
        • Understand Direct Connect Gateway – provides connectivity to multiple VPCs across Regions from on-premises using a single DX connection
        • Know Direct Connect SiteLink – enables sending data between Direct Connect locations bypassing AWS Regions (site-to-site connectivity)
        • Understand Direct Connect + Cloud WAN integration (direct gateway association with Core Network)
        • Understand MACsec encryption for Direct Connect (Layer 2 encryption for dedicated connections)
      • Route 53
        • Understand Route 53 and Routing Policies and their use cases. Focus on Weighted, Latency, Geolocation, and Geoproximity routing policies
        • Understand Route 53 Split View DNS for same DNS to access a site externally and internally
        • Understand Route 53 Resolver – inbound/outbound endpoints for hybrid DNS resolution between on-premises and AWS
        • Know Route 53 Resolver DNS Firewall – filters outbound DNS queries, blocks malicious domains, prevents DNS tunneling and DGA attacks
        • Know Route 53 Resolver DNS Firewall Advanced (launched Nov 2024) – provides intelligent protection with real-time threat detection
      • Understand CloudFront and use cases including Origin Shield and real-time logs
      • AWS Global Accelerator
        • Know Global Accelerator for improving global application availability and performance using the AWS global network
        • Understand the difference between CloudFront (content caching/CDN) and Global Accelerator (network-layer acceleration with static anycast IPs)
        • Know dual-stack support for NLB endpoints
      • Load Balancer
        • Understand ALB, NLB, and Gateway Load Balancer (GWLB)
        • Understand the difference: ALB (Layer 7 – content, host, path-based routing), NLB (Layer 4 – static IP, ultra-low latency, TLS passthrough), GWLB (Layer 3 – transparent network gateway for third-party appliances)
        • Know Gateway Load Balancer for deploying, scaling, and managing third-party virtual appliances (firewalls, IDS/IPS) with GENEVE encapsulation
        • Know how to design VPC CIDR block with NLB (Hint – minimum number of IPs required are 8)
        • Know how to pass original Client IP to the backend instances (Hint – X-Forwarded-For for ALB, Proxy Protocol for NLB, and client IP preservation for GWLB)
      • Know WorkSpaces requirements and setup
    • Security
      • AWS Network Firewall
        • Know AWS Network Firewall as a managed stateful network firewall and IDS/IPS for VPCs
        • Understand rule groups (stateless and stateful), firewall policies, and deployment models (centralized, distributed)
        • Know integration with Gateway Load Balancer for centralized inspection architectures
      • AWS Verified Access
        • Know AWS Verified Access for secure application access without VPN using Zero Trust principles
        • Evaluates each request based on user identity and device health rather than network location
        • Now supports non-HTTP(S) protocols (announced re:Invent 2024)
      • Know AWS GuardDuty as managed threat detection service
      • Know AWS Shield esp. Shield Advanced and features (DDoS cost protection, SRT access, advanced mitigation)
      • Know WAF as Web Traffic Firewall — (Hint – WAF can be attached to CloudFront, ALB, API Gateway, AppSync, and Cognito User Pools)
      • Know AWS Firewall Manager for centrally managing firewall rules across accounts and resources in AWS Organizations

Key Differences: ANS-C01 vs ANS-C00

  • Structure: ANS-C01 has 4 domains (vs 6 in ANS-C00) — more streamlined and focused
  • New Services: Transit Gateway, Cloud WAN, VPC Lattice, IPAM, Network Firewall, Gateway Load Balancer, Global Accelerator, Verified Access, Route 53 Resolver endpoints
  • Deprecated Patterns: Transit VPC pattern replaced by Transit Gateway; complex VPN hub-and-spoke designs replaced by Transit Gateway with Cloud WAN
  • Emphasis Changes: Greater focus on multi-account/multi-Region networking, Zero Trust architecture, network automation, and centralized security
  • Direct Connect: Transit VIF, SiteLink, MACsec encryption, 400 Gbps connections, and Cloud WAN integration are new topics

GCP Associate Cloud Engineer Certification Path

Google Cloud - Associate Cloud Engineer

Google Cloud – Associate Cloud Engineer Certification learning path

📋 Last Updated: June 2026 — This guide has been updated to reflect the current ACE exam guide, including Cloud Run, Spot VMs, AlloyDB, Terraform/IaC tools, and the deprecation of Deployment Manager.

Google Cloud – Associate Cloud Engineer certification exam is for individuals who deploy applications, monitor operations, and manage enterprise solutions on Google Cloud. The exam validates production-ready skills including deploying and securing applications, configuring networks and IAM, monitoring systems, and automating routine tasks.

Google Cloud – Associate Cloud Engineer Certification Summary

  • Has 50-60 questions (typically ~50) to be answered in 2 hours.
  • Registration fee: $125 (plus tax where applicable).
  • Available in English, Japanese, Spanish, and Portuguese.
  • Covers wide range of Google Cloud services and what they actually do. It focuses heavily on IAM, Compute (including Cloud Run and Cloud Functions), Storage with networking and monitoring/observability.
  • Hands-on is a must. Covers Cloud SDK, CLI commands and Console operations that you would use for day-to-day work. If you have not worked on GCP before make sure you do lot of labs else you would be absolute clueless for some of the questions and commands.
  • The exam includes multiple-select questions where you must choose 2 or 3 correct answers from 4-5 options.
  • Make sure you understand Infrastructure as Code tools (Terraform, Config Connector) as Deployment Manager has been deprecated.

Google Cloud – Associate Cloud Engineer Certification Topics

General Services

  • Cloud Billing
    • Understand how Cloud Billing works. Monthly vs Threshold and which has priority
    • Budgets can be set to alert for projects
    • How to change a billing account for a project and what roles you need. Hint – Project Owner and Billing Administrator for the billing account
    • Cloud Billing can be exported to BigQuery and Cloud Storage
  • Resource Manager
    • Understand Resource Manager the hierarchy Organization -> Folders -> Projects -> Resources
    • IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
    • Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.
    • Understand organizational policies and how they constrain resource configurations across the hierarchy.
  • Cloud SDK
    • Understand gcloud commands esp. when dealing with
      • configurations i.e. gcloud config
        • activate profiles – gcloud config configurations activate
        • GKE setting default cluster i.e. gcloud config set container/cluster CLUSTER_NAME
        • set project gcloud config set project mygcp-demo
        • set region gcloud config set compute/region us-west1
        • set zone gcloud config set compute/zone us-west1-a
      • Get project list and ids gcloud projects list
      • Auth i.e gcloud auth
        • Auth login using user gcloud auth login
        • Auth login using service account gcloud auth activate-service-account --key-file=sa_key.json
      • VPC firewalls i.e. gcloud compute firewall-rules

Network Services

  • Virtual Private Cloud
    • Understand Virtual Private Cloud (VPC), subnets and host applications within them. Hint – VPC spans across regions
    • Understand how Firewall rules work and how they are configured. Hint – Focus on Network Tags and Service Accounts for targeting. Also, there are 2 implicit firewall rules – default ingress deny and default egress allow
    • Understand creating ingress and egress firewall rules and policies (IP subnets, network tags, service accounts)
    • Understand VPC Peering and Shared VPC
    • Understand the concept of internal and external IPs and difference between static and ephemeral IPs
    • Primary IP range of an existing subnet can be expanded by modifying its subnet mask, setting the prefix length to a smaller number.
    • Understand Cloud DNS and Cloud NAT configuration and management.
  • Cloud Load Balancing
    • Understand Google Cloud Load Balancing
    • Know load balancer options and differences esp. HTTPS and SSL proxy when handling SSL termination.
    • Understand Network Service Tiers (Premium vs Standard) and their impact on routing and availability.

Identity Services

  • Identity and Access Management – IAM
    • Identity and Access Management – IAM provides administrators the ability to manage cloud resources centrally by controlling who can take what action on specific resources.
    • Understand how IAM works and how rules apply esp. the hierarchy from Organization -> Folder -> Project -> Resources
    • Understand the difference between Basic (formerly Primitive), Predefined and Custom roles and their use cases
    • IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
    • Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.
    • Basically Permissions -> Roles -> (IAM Policy) -> Members (Principals)
    • Need to know and understand the roles for the following services at least
      • Cloud Storage – Admin vs Creator vs Viewer
      • Compute Engine – Admin vs Instance Admin
      • Spanner – Viewer vs Database User
      • BigQuery – User vs JobUser
    • Know how to copy roles to different projects or organization. Hint – gcloud iam roles copy
    • Know how to use service accounts with applications
    • Understand service account impersonation and creating short-lived credentials
    • Apply principle of least privilege when assigning service accounts to resources
  • Cloud Identity
    • Cloud Identity provides IDaaS (Identity as a Service) and provides single sign-on functionality and federation with external identity providers like Active Directory.
    • Know how to manage users and groups in Cloud Identity (manually and automated)

Compute Services

  • Make sure you know all the compute services: Compute Engine, App Engine, Google Kubernetes Engine, Cloud Run, and Cloud Functions. They are heavily covered in the exam.
  • Google Compute Engine
    • Google Compute Engine is the best IaaS option for compute and provides fine-grained control
    • Know how to create a Compute Engine instance, connect to it using Cloud Shell or SSH keys
    • Difference between backups and images and how to create instances from the same.
    • Instance templates with managed instance groups. Instance template cannot be edited, create a new one and attach.
    • Difference between managed vs unmanaged instance groups and auto-healing feature
    • Spot VMs (replacement for Preemptible VMs) and their use cases. HINT – Spot VMs can be terminated any time when Compute Engine needs resources, but unlike Preemptible VMs they have NO 24-hour maximum lifetime. Same pricing model as Preemptible VMs. Google recommends using Spot VMs instead of Preemptible VMs for new workloads.
    • Understand custom machine types for right-sizing compute resources
    • Upgrade an instance without downtime using Live Migration
    • Managing access using OS Login or project and instance metadata
    • Configure VM Manager for OS patch management and compliance
    • Prevent accidental deletion using deletion protection flag
    • In case of any issues or errors, how to debug the same
  • Google App Engine
    • Google App Engine is mainly the best option for PaaS with platforms supported and features provided.
    • Deploy an application with App Engine and understand how versioning and rolling deployments can be done
    • Understand how to keep auto scaling and traffic splitting and migration.
    • Know App Engine is a regional resource and understand the steps to migrate or deploy application to different region and project.
    • Know the difference between App Engine Flexible vs Standard
  • Google Kubernetes Engine (GKE)
    • Google Kubernetes Engine enables you to run containers on Google Cloud Platform.
    • GKE takes care of provisioning and maintaining the underlying virtual machine cluster, scaling your application, and operational logistics such as logging, monitoring, and cluster health management.
    • Be sure to Create a Kubernetes Cluster and configure it to host an application
    • Understand different cluster configurations: Autopilot (fully managed, recommended for most workloads), Standard, regional clusters, and private clusters
    • Understand GKE Enterprise for multi-cluster management
    • Understand how to make the cluster auto-repairable and upgradable. Hint – Node auto-upgrades and auto-repairing feature
    • Very important to understand where to use gcloud commands (to create a cluster) and kubectl commands (manage the cluster components)
    • Very important to understand how to increase cluster size, enable autoscaling, and manage node pools (add, edit, remove)
    • Know how to manage secrets like database passwords
    • Understand Horizontal and Vertical Pod Autoscaler configurations
    • Know how to configure GKE to access Artifact Registry for container images
  • Cloud Run
    • Cloud Run is a fully managed serverless platform for running containerized applications.
    • Deploy containerized applications without managing infrastructure
    • Understand traffic splitting between revisions for canary deployments
    • Configure scaling parameters (min/max instances, concurrency)
    • Understand event-driven architecture with Eventarc and Pub/Sub triggers
    • Know when to choose Cloud Run vs App Engine vs GKE vs Cloud Functions
  • Cloud Functions
    • Cloud Functions is a serverless execution environment for building and connecting cloud services.
    • Best for event-driven, single-purpose functions (e.g., responding to Cloud Storage events, Pub/Sub messages)
    • Understand triggers: HTTP, Pub/Sub, Cloud Storage, Eventarc
    • Know the difference between Cloud Functions and Cloud Run for serverless workloads

Storage Services

  • Understand each storage service options and their use cases.
  • Cloud Storage
    • Cloud Storage is cost-effective object storage for unstructured data.
    • Very important to know the different storage classes and their use cases:
      • Standard (frequent access — replaces the legacy Regional and Multi-Regional classes)
      • Nearline (access less than once per 30 days)
      • Coldline (access less than once per 90 days)
      • Archive (access less than once per year — coldest tier, ideal for long-term retention and compliance)
    • Understand lifecycle management. HINT – Changes are in accordance to object creation date
    • Understand Signed URL to give temporary access and the users do not need to be GCP users
    • Understand access control and permissions – IAM vs ACLs (fine-grained control). IAM is recommended for uniform bucket-level access.
    • Understand best practices esp. uploading and downloading the data. HINT using parallel composite uploads
  • Relational Databases
    • Cloud SQL
      • Cloud SQL is a fully-managed service that provides MySQL, PostgreSQL, and SQL Server
      • Supports up to 64TB storage and is a regional service.
      • Difference between Failover and Read replicas. Failover provides High Availability and almost zero downtime while Read replicas provide scalability. Cross-region Read Replicas are supported.
      • Perform Point-In-Time recovery. Hint – requires binary logging and backups
    • AlloyDB for PostgreSQL
      • AlloyDB is a fully managed, PostgreSQL-compatible database designed for demanding enterprise workloads.
      • Provides up to 4x faster transactional performance than standard PostgreSQL.
      • Features automatic storage scaling, columnar engine for analytics, and 99.99% availability SLA.
      • Best for enterprise applications needing PostgreSQL compatibility with superior performance and availability.
      • Now included in the ACE exam guide as a data solution option.
    • Cloud Spanner
      • Is a fully managed, mission-critical relational database service.
      • Provides a scalable online transaction processing (OLTP) database with high availability and strong consistency at global scale.
      • Globally distributed and can scale and handle more than 10TB.
      • Not a direct replacement for Cloud SQL and would need migration.
  • NoSQL Databases
    • Firestore
      • Highly scalable and serverless NoSQL document database with MongoDB compatibility.
      • Suitable for mobile, web, and IoT applications requiring real-time sync.
      • Now included in the ACE exam guide as both a deployment and management topic.
    • Bigtable
      • Cloud-native wide-column database for large-scale, low-latency workloads (IoT, analytics, time-series data).
  • Data Warehousing
    • BigQuery
      • Provides scalable, fully managed enterprise data warehouse (EDW) with SQL and fast ad-hoc queries.
      • Remember it is most suitable for historical analysis and analytics.
      • Know how to perform a preview or dry run. Hint – price is determined by bytes read not bytes returned.
      • Supports federated tables or external tables that can support Cloud Storage, Bigtable, Google Drive and Cloud SQL.
      • Understand how to review job status and estimate costs.

Data Services

  • Although there are only a few references to data services in the exam, it is important to know the data analytics stack to understand which service fits the different layers of ingest, store, process, and analytics:
    • Cloud Storage as the medium to store data as a data lake
    • Pub/Sub as the messaging service to capture real-time data esp. IoT. Designed to provide reliable, many-to-many, asynchronous messaging between applications.
    • Dataflow to process, transform, and transfer data — the key service for stream and batch processing pipelines.
    • BigQuery for storage and analytics. Remember BigQuery provides a cost-effective option for storage similar to Cloud Storage.
    • Managed Service for Apache Spark (formerly Cloud Dataproc) for existing Hadoop/Spark jobs. Hint – Use it to replace existing Hadoop infrastructure. Renamed from Dataproc in 2025.

⚠️ Deprecated Data Services:

  • Cloud Datalab — Deprecated since September 2, 2022. Replaced by Vertex AI Workbench for interactive data exploration, analysis, and visualization.
  • Cloud Dataprep — Now “Dataprep by Trifacta” (operated by Alteryx). Consider Cloud Data Fusion for data preparation and integration on Google Cloud.

Monitoring and Observability

  • Google Cloud Operations Suite (formerly Stackdriver)
    • The suite includes Cloud Monitoring, Cloud Logging, Cloud Trace, Cloud Profiler, and Error Reporting.
    • Create Cloud Monitoring alerts based on resource metrics
    • Create and ingest custom metrics (from applications or logs)
    • Export logs to external systems (on-premises, BigQuery)
    • Configure log buckets, log analytics, and log routers
    • View and filter logs in Cloud Logging; view specific log message details
    • Use cloud diagnostics to research application issues
    • Configure and deploy Ops Agent (replaces the legacy Monitoring and Logging agents)
    • Deploy Managed Service for Prometheus for Kubernetes workload monitoring
    • Configure audit logs for security and compliance
    • Remember audits and troubleshooting primarily involve checking Cloud Logging and Cloud Monitoring

DevOps and Infrastructure as Code

  • Infrastructure as Code (IaC)
    • The ACE exam now focuses on modern IaC tooling:
    • Terraform — The recommended IaC tool for Google Cloud. Supports declarative infrastructure provisioning with HCL.
    • Infrastructure Manager — Google Cloud’s managed Terraform service for deploying and managing infrastructure.
    • Config Connector — Kubernetes add-on for managing Google Cloud resources using Kubernetes-style YAML.
    • Cloud Foundation Toolkit — Reference templates and best practices for Terraform deployments.
    • Helm — Package manager for Kubernetes applications.

⚠️ Deployment Manager — DEPRECATED

Google Cloud Deployment Manager support ended December 31, 2025 and reached End of Life on March 31, 2026.

Migration Options:

  • Terraform (recommended) — Multi-cloud support, richer module ecosystem, expressive configuration language
  • Infrastructure Manager — Google Cloud’s managed Terraform service
  • Config Connector — For Kubernetes-native resource management

The ACE exam guide now references Terraform, Config Connector, Cloud Foundation Toolkit, and Helm as IaC tools instead of Deployment Manager.

  • Google Cloud Marketplace (formerly Cloud Launcher)
    • Provides a way to launch common software packages (e.g., Jenkins, WordPress) and stacks on Google Compute Engine with just a few clicks — a prepackaged solution.
    • Can help minimize deployment time and can be used without detailed knowledge about the product.

Google Cloud – Associate Cloud Engineer Certification Exam Domains (2025/2026)

The current exam guide covers five sections:

  • Section 1: Setting up a cloud solution environment (~20%) — Resource hierarchy, organizational policies, IAM roles, Cloud Identity, billing configuration
  • Section 2: Planning and configuring a cloud solution (~17.5%) — Compute choices (Compute Engine, GKE, Cloud Run, Cloud Functions), data storage options, network resources
  • Section 3: Deploying and implementing a cloud solution (~25%) — Compute Engine, GKE (Autopilot, regional, private clusters), Cloud Run & Cloud Functions, data solutions (Cloud SQL, Firestore, BigQuery, Spanner, AlloyDB, Pub/Sub, Dataflow), networking, IaC (Terraform, Config Connector, Helm)
  • Section 4: Ensuring successful operation (~20%) — Managing Compute Engine, GKE, Cloud Run resources; storage/database management; networking; monitoring and logging (Ops Agent, Managed Prometheus)
  • Section 5: Configuring access and security (~17.5%) — IAM policies, role types, service accounts, impersonation, short-lived credentials

Google Cloud – Associate Cloud Engineer Certification Resources

GCP Professional Data Engineer Certification Path

Google Cloud – Professional Data Engineer Certification Learning Path

I just recertified on my Google Cloud Certified – Professional Data Engineer certification. The first attempt on the Data Engineer exam has already been 2 long years which lasted for 4 hours with 95 questions. Once again, similar to the other Google Cloud certification exams, the Data Engineer exam covers not only the gamut of services and concepts but also focuses on logical thinking and practical experience.

📋 2025-2026 Exam Update Notice

The Professional Data Engineer exam has been significantly updated. Key changes include:

  • Increased focus on data governance (Dataplex), data lakehouse architecture (BigLake), Looker/Looker Studio for visualization, and Vertex AI for ML.
  • Reduced focus on deep ML concepts (overfitting, hyperparameters), Compute Engine/GKE, and command-line syntax.
  • New services covered: Dataplex Universal Catalog, BigLake, Analytics Hub, Dataform, Vertex AI (replacing AI Platform/Cloud ML Engine).
  • Deprecated services removed: Cloud Datalab (replaced by Vertex AI Workbench), Pub/Sub Lite (EOL March 2026), Data Catalog (replaced by Dataplex Knowledge Catalog).
  • Rebranding: Cloud DLP is now Sensitive Data Protection; Stackdriver is fully replaced by Cloud Monitoring/Logging; Vertex AI is now Gemini Enterprise Agent Platform.

Google Cloud – Professional Cloud Data Engineer Certification Summary

  • Cloud Data Engineer exam has 50 to 60 questions to be answered in 2 hours
  • Covers a wide range of data services including machine learning, with other topics covering storage, security, and data governance.
  • Exam does not cover any case studies
  • The exam has been updated to reflect current service names — Cloud Monitoring and Cloud Logging (no longer Stackdriver).
  • Strong focus on BigQuery, Dataflow, Pub/Sub, Dataproc, Cloud Composer, Looker, and Vertex AI.
  • Nothing much on Compute and Network is covered
  • Questions sometimes test your logical thinking rather than any concept regarding Google Cloud.
  • Hands-on is MUST, if you have not worked on GCP before make sure you do lots of labs else you would be absolutely clueless about some of the questions and commands
  • Be sure that NO Online Courses or Practice tests are going to cover all. Hands-on or practical knowledge is MUST.

Google Cloud – Professional Cloud Data Engineer Certification Resources

Google Cloud – Professional Cloud Data Engineer Certification Topics

Data & Analytics Services

  • Obviously, there are lots and lots of data and related services
  • Google Cloud Data & Analytics Services Cheatsheet
  • Know the Big Data stack and understand which service fits the different layers of ingest, store, process, analytics
  • Cloud BigQuery
    • provides scalable, fully managed enterprise data warehouse (EDW) with SQL and fast ad-hoc queries.
    • ideal for storage and analytics.
    • provides the same cost-effective option for storage as Cloud Storage
    • understand BigQuery Security
      • use BigQuery IAM access roles to control data and querying access
      • use Authorized views to access control tables, columns within tables, and query results. HINT: Authorized views need to reside in a different dataset as compared to the source dataset.
      • support data encryption
    • understand BigQuery Best Practices including key strategy, cost optimization, partitioning, and clustering
      • use dry run to estimate costs
      • use partitioning and clustering to limit the amount of data scanned
      • using external data sources might result in query performance degradation and its better to import the data
    • Dataset location can be set ONLY at the time of its creation.
    • supports schema auto-detection for JSON and CSV files.
    • understand how BigQuery Streaming works
    • know BigQuery limitations esp. with updates and inserts
    • supports an external data source (federated data source)
      • which is a data source that can be queried directly even though the data is not stored in BigQuery.
      • offers support for querying data directly from:
        • Cloud Bigtable
        • Cloud Storage
        • Google Drive
        • Cloud SQL
      • Use Permanent table for querying an external data source multiple times
      • Use Temporary table for querying an external data source for one-time, ad-hoc queries over external data, or for extract, transform, and load (ETL) processes.
    • BigQuery Studio (launched 2023) provides a unified workspace with SQL and notebook (Colab Enterprise) interfaces for data engineers, analysts, and scientists to perform end-to-end data tasks.
    • BigQuery editions (Standard, Enterprise, Enterprise Plus) provide flexible compute pricing with autoscaling slots, replacing the legacy flat-rate pricing model.
    • BI Engine provides fast in-memory analysis for sub-second query performance on dashboards connected to BigQuery.
  • Cloud Bigtable
    • provides column database suitable for both low-latency single-point lookups and precalculated analytics
    • understand Bigtable is not for long term storage as it is quite expensive
    • know the differences with HBase
    • Know how to measure performance and scale
    • supports Development and Production mode. Development mode can be upgraded to production and not vice versa.
    • supports HDD and SDD storage during cluster creation. HDD can be converted to SDD by exporting the data to the new instance.
    • understand Bigtable Replication. Can be used to separate real-time and batch workloads on the same instance using application profiles.
  • Cloud Pub/Sub
    • as the messaging service to capture real-time data esp. IoT
    • is designed to provide reliable, many-to-many, asynchronous messaging between applications esp. real-time IoT data capture
    • now supports exactly-once delivery (when subscribers connect in the same region), in addition to the default at-least-once delivery.
    • how it compares to Kafka (HINT: Pub/Sub provides only 7 days of retention vs Kafka which depends on the storage)
    • Note: Pub/Sub Lite has been deprecated (no new customers after Sept 24, 2024; EOL March 18, 2026). Use standard Pub/Sub instead.
  • Cloud Dataflow
    • to process, transform, transfer data and the key service to integrate store and analytics.
    • know how to improve a Dataflow performance
    • understand Apache Beam features as well
      • understand PCollections, Transforms, ParDo and what they do
      • understand windowing, watermarks, triggers Hint: windowing and watermarks can be used to handle delayed messages
    • supports drain feature to finish existing jobs but stop processing new ones, usually useful for deploying incompatible breaking changes
    • canceling a job will lead to an immediate stop and in-flight data loss.
    • Note: Dataflow SQL has been deprecated (July 2024, shutdown Jan 2025). Use standard Dataflow with Apache Beam SDK instead.
  • Cloud Dataprep (by Trifacta/Alteryx)
    • to clean and prepare data. It can be used for anomaly detection.
    • does not need any programming language knowledge and can be done through the graphical interface
    • be sure to know or try hands-on on a dataset
    • Note: Now operated by Alteryx. For new projects, consider Dataform (integrated into BigQuery) for SQL-based data transformations.
  • Cloud Dataproc
    • to handle existing Hadoop/Spark jobs
    • supports connector for BigQuery, Bigtable, Cloud Storage
    • supports Ephemeral clusters and with Cloud Storage connector support the data can be stored in GCS instead of HDFS
    • you need to know how to improve the performance of the Hadoop cluster as well :). Know how to configure the Hadoop cluster to use all the cores (hint- spark executor cores) and handle out of memory errors (hint – executor memory)
    • Secondary workers can be used to scale with the below limitations
      • Processing only with no data storage
      • No secondary-worker-only clusters
      • Persistent disk size is used for local caching of data and is not available through HDFS.
    • how to install other components (hint – initialization actions)
    • Dataproc Serverless allows running Spark batch workloads and interactive sessions without managing clusters.
  • Vertex AI Workbench
    • is the interactive notebook-based environment for data exploration, transformation, analysis, and visualization on Google Cloud
    • replaces the deprecated Cloud Datalab (deprecated Sept 2022)
    • provides managed and user-managed notebook instances with JupyterLab
    • integrates with BigQuery, Dataproc, and other GCP services
  • Cloud Composer
    • fully managed workflow orchestration service, based on Apache Airflow, enabling workflow creation that spans across clouds and on-premises data centers.
    • pipelines are configured as directed acyclic graphs (DAGs)
    • workflow lives on-premises, in multiple clouds, or fully within GCP.
    • provides the ability to author, schedule, and monitor the workflows in a unified manner
    • Composer 2 (current) provides autoscaling, better resource management, and improved performance over Composer 1.

Data Governance & Catalog Services

  • Dataplex
    • intelligent data fabric that enables organizations to centrally manage, monitor, and govern data across data lakes, data warehouses, and data marts.
    • organizes data into Lakes, Zones, and Assets for logical data management.
    • provides unified access management across BigQuery, Cloud Storage, and other services.
    • supports data quality rules and automated data profiling.
    • Dataplex Knowledge Catalog (formerly Dataplex Universal Catalog, replacing deprecated Data Catalog) provides metadata management, data discovery, and governance features.
    • Understand data mesh architecture patterns with Dataplex — the exam tests when data mesh is the right answer.
  • BigLake
    • unified storage engine that extends BigQuery’s fine-grained security and governance to multi-cloud and open-format data.
    • creates a unified interface over data stored in Cloud Storage (and even AWS S3 or Azure ADLS).
    • supports formats like Parquet, ORC, Avro, and Apache Iceberg.
    • enables applying BigQuery column-level security and row-level access policies to data lake files.
  • Analytics Hub
    • centralized platform for sharing BigQuery datasets securely, both within and across organizations.
    • enables data providers to list datasets and data consumers to subscribe under governed access controls.
    • supports private data exchanges for internal organizational sharing.
  • Dataform
    • integrated into BigQuery for SQL-based data transformation and pipeline management.
    • supports version control (Git), testing, and documentation for data pipelines.
    • alternative to dbt for BigQuery-native SQL workflow orchestration.

Identity Services

  • Cloud IAM
    • provides administrators the ability to manage cloud resources centrally by controlling who can take what action on specific resources.
    • Understand how IAM works and how rules apply esp. the hierarchy from Organization -> Folder -> Project -> Resources
    • Understand IAM Best practices

Storage Services

  • Understand each storage service option and its use cases.
  • Cloud Storage
    • cost-effective object storage for unstructured data.
    • very important to know the different classes and their use cases:
      • Standard — frequent access (hot data)
      • Nearline — monthly access (30-day minimum storage)
      • Coldline — quarterly access (90-day minimum storage)
      • Archive — yearly access (365-day minimum storage, lowest cost)
    • Autoclass automatically transitions objects between storage classes based on access patterns, eliminating retrieval and early-deletion charges.
    • Understand Signed URL to give temporary access and the users do not need to be GCP users
    • Understand permissions – IAM vs ACLs (fine-grained control). Note: Uniform bucket-level access is now the recommended default over ACLs.
  • Cloud SQL
    • is a fully-managed service that provides MySQL, PostgreSQL, and SQL Server.
    • supports Enterprise and Enterprise Plus editions with different performance tiers.
    • Limited to 64TB storage and is a regional service.
    • No direct options for Oracle yet.
  • AlloyDB for PostgreSQL
    • fully managed PostgreSQL-compatible database with up to 4x faster performance than standard PostgreSQL for transactional workloads and up to 100x faster for analytical queries.
    • integrates with Vertex AI for built-in vector search and AI capabilities.
    • ideal for demanding enterprise workloads requiring PostgreSQL compatibility with enhanced performance.
  • Cloud Spanner
    • is a fully managed, mission-critical relational database service.
    • provides a scalable online transaction processing (OLTP) database with high availability and strong consistency at a global scale.
    • globally distributed and can scale and handle more than 10TB.
    • now supports PostgreSQL interface for familiar tooling and migration.
    • supports Spanner Graph, full-text search, and vector search (2024-2025) making it a multi-model database.
    • not a direct replacement for Cloud SQL and would need migration
  • Cloud Firestore (Datastore mode)
    • provides document database for web and mobile applications. Datastore mode is not for analytics.
    • Firestore in Datastore mode is the recommended successor to the legacy Cloud Datastore.
    • Understand Datastore indexes and how to update indexes for Datastore
    • Firestore now offers Standard and Enterprise editions with enhanced features.

Machine Learning

  • Google expects the Data Engineer to know some of the Data scientists stuff, though the depth has been reduced in the current exam.
  • Understand the different algorithms
    • Supervised Learning (labeled data)
      • Classification (for e.g. Spam or Not)
      • Regression (for e.g. Stock or House prices)
    • Unsupervised Learning (Unlabelled data)
      • Clustering (for e.g. categories)
    • Reinforcement Learning
  • Vertex AI (now rebranded as Gemini Enterprise Agent Platform)
    • Unified ML platform replacing the legacy AI Platform and Cloud ML Engine.
    • provides end-to-end ML workflow: data preparation, training, deployment, and monitoring.
    • Vertex AI Workbench for notebook-based development (replaces Cloud Datalab).
    • AutoML for building models without extensive ML expertise.
    • Vertex AI Pipelines for orchestrating ML workflows.
    • Model Registry for versioning and managing models.
    • Access to Gemini foundation models for generative AI use cases.
  • Know the Cloud AI products which include
    • Cloud Vision AI
    • Cloud Natural Language AI
    • Cloud Speech-to-Text
    • Cloud Video Intelligence AI
    • Dialogflow (conversational AI)

Monitoring

  • Cloud Monitoring and Cloud Logging (formerly Stackdriver)
    • provides monitoring, alerting, error reporting, metrics, diagnostics, debugging, and trace capabilities.
    • remember audits are mainly checking Cloud Logging entries (Audit Logs)
    • Aggregated sink can route log entries from the organization or folder, plus (recursively) from any contained folders, billing accounts, or projects
    • Cloud Logging supports log-based metrics for creating dashboards and alerts.

Security Services

  • Sensitive Data Protection (formerly Cloud Data Loss Prevention / Cloud DLP)
    • to handle sensitive data esp. redaction of PII data.
    • provides discovery, classification, and de-identification of sensitive data inside and outside Google Cloud.
    • integrated with Security Command Center for risk assessment.
  • understand Encryption techniques
    • Google-managed encryption keys (default)
    • Customer-managed encryption keys (CMEK) via Cloud KMS
    • Customer-supplied encryption keys (CSEK)

Data Transfer Services

  • Storage Transfer Service
    • allows import of large amounts of data into Google Cloud Storage, quickly and cost-effectively.
    • supports transfers from AWS S3, Azure Blob Storage, HTTP/HTTPS locations, other GCS buckets, and on-premises file systems (via agent-based transfers).
    • recommended for transferring more than 1 TB from on-premises or cloud sources.
  • Transfer Appliance
    • to transfer large amounts of data (hundreds of TB to PB) quickly and cost-effectively into Google Cloud Platform via physical appliance.
    • Check for the data size — typically used when network transfer would take too long.
  • BigQuery Data Transfer Service
    • to integrate with third-party services (e.g., Google Ads, YouTube, Amazon S3, Teradata) and load data into BigQuery on a scheduled basis.

Visualization & BI

  • Looker Studio (formerly Google Data Studio)
    • free, self-service BI tool for creating interactive dashboards and reports.
    • connects directly to BigQuery and other data sources.
    • can use BigQuery BI Engine for sub-second query performance.
  • Looker
    • enterprise BI platform with LookML modeling language for governed metrics.
    • provides semantic layer, embedded analytics, and data applications.
    • integrated with BigQuery for governed, reusable analytics.

GCP Professional Cloud Architect Certification Path

Google Cloud - Professional Cloud Architect certificate

Google Cloud – Professional Cloud Architect Certification Learning Path

🔄 Last Updated: June 2026 — This post has been updated to reflect the new PCA exam format (v6.1, released October 30, 2025), new case studies, AI/ML content additions, service rebrandings, and the transition to Pearson as exam delivery provider (March 2026).

Re-certified !!!! Google Cloud – Professional Cloud Architect certification exam is one of the toughest exam I have appeared for. Even though it was recertification, the preparation level was same as the first one. The gamut of services and concepts it tests your knowledge on is really vast.

Google Cloud – Professional Cloud Architect Certification Summary

  • Has 50 questions to be answered in 2 hours.
  • Registration fee is $200 (plus tax where applicable).
  • Covers wide range of Google Cloud services and what they actually do.
  • includes Compute, Storage, Network, Data services, and now AI/ML services (Vertex AI, Gemini)
  • The exam was significantly updated in October 2025 (v6.1) to include the Google Cloud Well-Architected Framework and AI/ML integration topics.
  • Questions sometimes tests your logical thinking rather than any concept regarding Google Cloud.
  • Hands-on is a MUST, if you have not worked on GCP before make sure you do lots of labs else you would be absolute clueless for some of the questions and commands
  • Make sure you cover the case studies before hand. The exam includes ~15 questions based on case studies and it can really be a savior for you in the exams.
  • Be sure that NO Online Course or Practice tests is going to cover all. Hands-on or practical knowledge is MUST.
  • Exam Delivery: As of March 2026, exams are delivered through Pearson VUE (previously Kryterion). Exams can be taken onsite at test centers or remotely.

Google Cloud – Professional Cloud Architect Exam Updates (October 2025 – v6.1)

  • AI Content Expansion: Two new sections (2.4, 2.5) focused on Vertex AI, including AutoML, custom training, and model deployment.
  • Well-Architected Framework: Now required knowledge; questions focus on operational excellence, security, reliability, cost optimization, and performance pillars.
  • New Case Studies: EHR Healthcare retained; three new scenarios added — Altostrat Media, Cymbal Retail, and KnightMotives Automotive (all with AI integration).
  • ~30% new topics compared to the previous version; some older topics have been deprioritized.
  • Service Rebrandings: Be aware of Dataproc → Managed Service for Apache Spark, Cloud Functions → Cloud Run functions, Container Registry → Artifact Registry.

Google Cloud – Professional Cloud Architect Certification Resources

Google Cloud – Professional Cloud Architect Certification Topics

General Services

  • Cloud Billing
    • understand how Cloud Billing works. Monthly vs Threshold and which has priority
    • Budgets can be set to alert for projects
    • how to change a billing account for a project and what roles you need. Hint – Project Owner and Billing Administrator for the billing account
    • Cloud Billing can be exported to BigQuery and Cloud Storage
  • Resource Manager
    • Understand Resource Manager the hierarchy Organization -> Folders -> Projects -> Resources
    • IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
    • Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.

Identity Services

  • Cloud Identity and Access Management
    • Identify and Access Management – IAM provides administrators the ability to manage cloud resources centrally by controlling who can take what action on specific resources.
    • Understand how IAM works and how rules apply esp. the hierarchy from Organization -> Folder -> Project -> Resources
    • Understand the difference between Basic (formerly Primitive), Pre-defined and Custom roles and their use cases
    • IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
    • Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.
    • Basically Permissions -> Roles -> (IAM Policy) -> Members (Principals)
    • Know how to use service accounts with applications
    • Understand IAM Conditions for fine-grained, attribute-based access control
    • Understand IAM Deny Policies to set guardrails on access
  • Cloud Identity
    • Cloud Identity provides IDaaS (Identity as a Service) and provides single sign-on functionality and federation with external identity provides like Active Directory.
    • Cloud Identity supports federating with Active Directory using GCDS to implement the synchronization

Compute Services

    • Make sure you know all the compute services Google Compute Engine, Google App Engine, Google Kubernetes Engine, and Cloud Run. You need to be sure to know the pros and cons and the use cases that you should use them.
    • Google Compute Engine
      • Google Compute Engine is the best IaaS option for compute and provides fine grained control
      • Know how to create a Compute Engine instance, connect to it using Cloud shell or ssh keys
      • Difference between backups and images and how to create instances from the same.
      • Understand Compute Engine Storage Options. Disk throughput and IOPS depends on type and size.
      • Understand Compute Engine Snapshots
      • Instance templates with managed instance groups provide scalability and high availability
      • Instance template cannot be edited, create a new one and attach.
      • Difference between managed vs unmanaged instance groups and auto-healing feature
      • Managed instance groups are covered heavily the exam, as they provide the key auto-scaling capability. Hint: you need to create an Instance template and associate it with Instance group
      • Understand how migration or traffic splitting with Managed instance groups works Hint – rolling updates & deployments
      • Spot VMs (previously known as Preemptible VMs) and their use cases. HINT – can be terminated any time when Compute Engine needs the resources. Spot VMs no longer have the 24-hour maximum lifetime limitation that Preemptible VMs had.
      • Upgrade an instance without downtime using Live Migration
      • Managing access using OS Login or project and instance metadata
      • Prevent accidental deletion using deletion protection flag
      • Understand the pricing and discounts model Hint – Sustained (automatic up to 30%) vs Committed (1 to 3 yrs) discounts.
      • In case of any issues or errors, how to debug the same
    • Google App Engine
      • Google App Engine is mainly the best option for PaaS with platforms supported and features provided.
      • Deploy an application with App Engine and understand how versioning and rolling deployments can be done
      • Understand how to keep auto scaling and traffic splitting and migration.
      • Know App Engine is a regional resource and understand the steps to migrate or deploy application to different region and project.
      • Know the difference between App Engine Flexible vs Standard
    • Google Kubernetes Engine
      • Google Kubernetes Engine, powered by the open source container scheduler Kubernetes, enables you to run containers on Google Cloud Platform.
      • Kubernetes Engine takes care of provisioning and maintaining the underlying virtual machine cluster, scaling your application, and operational logistics such as logging, monitoring, and cluster health management.
      • A node pool is a subset of machines that all have the same configuration, including machine type (CPU and memory) authorization scopes. Node pools represent a subset of nodes within a cluster; a container cluster can contain one or more node pools. Hint : For adding new machine types, need to add a new node pool as existing one cannot be edited
      • Be sure to Create a Kubernetes Cluster and configure it to host an application
      • Understand how to make the cluster auto repairable and upgradable. Hint – Node auto-upgrades and auto-repairing feature
      • Very important to understand where to use gcloud commands (to create a cluster) and kubectl commands (manage the cluster components)
      • Very important to understand how to increase cluster size and enable autoscaling for the cluster
      • Know how to manage secrets like database passwords
      • Understand GKE Autopilot mode — a fully managed mode where Google manages the nodes, scaling, and security
    • Cloud Run
      • Cloud Run is a fully managed serverless platform for deploying and running containerized applications.
      • Supports any language or library as long as it can be containerized.
      • Scales automatically from zero to many instances and back to zero.
      • Supports both services (request-driven) and jobs (task-based workloads).
      • Cloud Run is now the unified serverless platform — Cloud Functions has been rebranded as Cloud Run functions.
    • Cloud Run functions (formerly Cloud Functions)
      • is a lightweight, event-based, asynchronous compute solution that allows you to create small, single-purpose functions that respond to cloud events without the need to manage a server or a runtime environment.
      • Remember that Cloud Run functions is serverless and scales from zero to scale and back to zero as the demand changes.
      • 2nd gen functions (recommended for new projects) are built on Cloud Run infrastructure and offer improved performance, concurrency, longer request processing (up to 60 minutes), and Eventarc integration.

Network Services

  • Virtual Private Cloud
    • Understand Virtual Private Cloud (VPC), subnets and host applications within them Hint VPC spans across region
    • Understand how Firewall rules works and how they are configured. Hint – Focus on Network Tags. Also, there are 2 implicit firewall rules – default ingress deny and default egress allow
    • Understand VPC Peering and Shared VPC
    • Understand the concept internal and external IPs and difference between static and ephemeral IPs
    • Primary IP range of an existing subnet can be expanded by modifying its subnet mask, setting the prefix length to a smaller number.
    • Understand Private Google Access and Private Service Connect use cases
  • On-premises connectivity
    • Cloud VPN and Cloud Interconnect are 2 components which help you connect to on-premises data center.
    • Understand HA VPN (recommended) vs Classic VPN. Note: Classic VPN dynamic routing via BGP is deprecated as of August 2025 — use HA VPN for BGP.
    • Understand what are the requirements to setup Cloud VPN.
    • Cloud Router provides dynamic routing using BGP
    • Know Interconnect as the reliable high speed, low latency and dedicated bandwidth options (Dedicated Interconnect and Partner Interconnect).
    • Cross-Cloud Interconnect — provides dedicated, high-bandwidth connectivity between Google Cloud and other cloud providers (e.g., AWS, Azure) without traversing the public internet.
    • Network Connectivity Center — a centralized hub for managing hybrid and multi-cloud network connectivity, connecting on-premises, Google Cloud, and other cloud networks through spokes.
  • Cloud Load Balancing (GCLB)
    • Google Cloud Load Balancing provides scaling, high availability, and traffic management for your internet-facing and private applications.
    • Understand Google Load Balancing options and their use cases esp. which is global and internal and what protocols they support.

Storage Services

  • Understand each Storage Options and use cases.
  • Persistent disks
    • attached to the Compute Engines, provide fast access however are limited in scalability, availability and scope.
    • Remember performance depends on the size of the disk
  • Cloud Storage
    • Cloud Storage is cost-effective object storage for unstructured data.
    • very important to know the different storage classes and their use cases: Standard (frequent access, replaces the legacy Regional/Multi-Regional classes), Nearline (30-day minimum, monthly access), Coldline (90-day minimum, quarterly access), and Archive (365-day minimum, yearly access)
    • Understand life cycle management. HINT – Changes are in accordance to object creation date
    • Understand various data encryption techniques
    • Understand Signed URL to give temporary access and the users do not need to be GCP users
    • Understand access control and permissions – IAM vs ACLs (fine grained control). Note: Uniform bucket-level access is now the recommended default.
    • Understand best practices esp. uploading and downloading the data. HINT using parallel composite uploads
  • Relational Databases
    • Know Cloud SQL, Cloud Spanner, and AlloyDB for PostgreSQL
    • Cloud SQL
      • Cloud SQL is a fully-managed service that provides MySQL, PostgreSQL and MS SQL Server
      • Supports up to 64TB of storage.
      • Difference between Failover and Read replicas. Failover provides High Availability and almost zero downtime while Read replicas provide scalability. Cross region Read Replicas are supported
      • Perform Point-In-Time recovery. Hint – requires binary logging and backups
      • Cloud SQL Enterprise Plus edition provides near-zero downtime maintenance and advanced HA features
    • Cloud Spanner
      • is a fully managed, mission-critical relational database service.
      • provides a scalable online transaction processing (OLTP) database with high availability and strong consistency at global scale.
      • globally distributed and can scale horizontally.
      • not a direct replacement for Cloud SQL and would need migration
    • AlloyDB for PostgreSQL
      • Fully managed, PostgreSQL-compatible database designed for demanding enterprise workloads.
      • Up to 4x faster for transactional workloads and up to 100x faster for analytical queries compared to standard PostgreSQL.
      • Provides automatic storage scaling, integrated AI/ML capabilities with built-in Vertex AI integration.
      • Best for enterprise PostgreSQL workloads that need high performance and availability.
  • NoSQL
    • Know Firestore and Bigtable
    • Firestore (successor to Cloud Datastore)
      • Firestore operates in two modes: Native mode (real-time, mobile/web apps) and Datastore mode (server-side, backward compatible with legacy Datastore)
      • Provides document database for web and mobile applications. Not for analytics.
      • Understand Firestore indexes and how to update indexes
      • Can be configured Multi-regional and regional
    • Bigtable
      • provides column database suitable for both low-latency single-point lookups and precalculated analytics
      • understand Bigtable is suitable for high-throughput workloads like IoT, time-series, and analytics
  • Data Warehousing
    • BigQuery
      • provides scalable, fully managed enterprise data warehouse (EDW) with SQL and fast ad-hoc queries.
      • Remember it is most suitable for historical analysis.
      • Now includes BigQuery ML for running ML models directly in SQL, and BigQuery Studio for unified analytics.
  • Memorystore and Firebase are now more commonly tested; understand Memorystore for Redis/Memcached caching use cases.

Data Services

  • Although there is a different certification for Data Engineer, the Cloud Architect does cover data services. Data services are also part of the use cases so be sure to know about them
  • Know the Big Data stack and understand which service fits the different layers of ingest, store, process, analytics, use
  • Key Services which need to be mainly covered are –
    • Cloud Storage as the medium to store data as data lake
    • Pub/Sub
      • as the messaging service to capture real time data esp. IoT
      • is designed to provide reliable, many-to-many, asynchronous messaging between applications esp. real time IoT data capture
      • Cloud Storage can generate notifications via Pub/Sub
    • Dataflow to process, transform, transfer data and the key service to integrate store and analytics. Now supports ML inference directly in pipelines (RunInference) and TPU integration.
    • BigQuery for storage and analytics. Remember BigQuery provides the same cost-effective option for storage as Cloud Storage
    • Managed Service for Apache Spark (formerly Cloud Dataproc) to handle existing Hadoop/Spark jobs. Hint – Use it to replace existing hadoop infra. Now includes serverless Spark option (no cluster management needed).
    • Dataform for managing SQL-based data transformation pipelines in BigQuery (replaces the need for Cloud Dataprep in many scenarios)
  • Know standard patterns Pub/Sub -> Dataflow -> BigQuery

AI and Machine Learning Services (NEW for PCA v6.1)

  • The updated PCA exam includes significant AI/ML content. Key services to know:
  • Vertex AI
    • Google Cloud’s unified AI/ML platform for building, deploying, and scaling ML models
    • Understand AutoML (no-code/low-code model training) vs Custom Training (bring your own code)
    • Understand Vertex AI Workbench (managed notebooks, replacement for Cloud Datalab)
    • Model deployment to endpoints with online/batch prediction
    • Vertex AI Feature Store for managing ML features
    • Vertex Explainable AI for model interpretability
  • Gemini
    • Google’s multimodal AI model family, available through Vertex AI
    • Understand use cases for generative AI in architecture (content generation, code assistance, data analysis)
  • Pre-trained APIs
    • Vision AI, Natural Language AI, Translation AI, Speech-to-Text, Text-to-Speech
    • Know when to use pre-trained APIs vs AutoML vs custom training

Monitoring

  • Google Cloud Monitoring (formerly Stackdriver)
    • provides everything from monitoring, alert, error reporting, metrics, diagnostics, debugging, trace.
    • remember audits are mainly checking Cloud Audit Logs
  • Google Cloud Logging (formerly Stackdriver Logging)
    • Understand log routing, sinks, and log-based metrics
    • Know log retention periods and where to export for long-term storage
  • Cloud Trace — distributed tracing for latency analysis
  • Error Reporting — aggregates and displays errors from cloud services

DevOps services

  • Infrastructure as Code
    • Infrastructure Manager (Terraform-based) — Google Cloud’s recommended IaC service
    • Terraform — the industry standard for multi-cloud IaC, fully supported on Google Cloud
    • Deployment ManagerDeprecated (support discontinued March 31, 2026). Migrate to Infrastructure Manager or Terraform.
  • Source Code Management
    • Secure Source Manager — regionally deployed, managed source code repository on Google Cloud
    • Cloud Source Repositories — End of sale since June 2024; not available to new customers. Use Secure Source Manager, GitHub, or GitLab.
  • Artifact Registry
    • is the universal package manager for all build artifacts and dependencies (Docker images, language packages, OS packages).
    • Container RegistryShut down March 18, 2025. All container image storage has migrated to Artifact Registry.
  • Cloud Build
    • is a service that executes your builds on Google Cloud Platform infrastructure.
    • Supports CI/CD pipelines with triggers from source repositories.
  • Cloud Deploy
    • Managed continuous delivery service for deploying to GKE, Cloud Run, and Anthos.
  • MarketPlace (Cloud Launcher)
    • provides a way to launch common software packages e.g. Jenkins or WordPress and stacks on Google Compute Engine with just a few clicks like a prepackaged solution.
    • can help minimize deployment time and can be used without any knowledge about the product

Security Services

  • Web Security Scanner (formerly Cloud Security Scanner)
    • is a web application security scanner that enables developers to easily check for a subset of common web application vulnerabilities in websites built on App Engine, GKE, and Compute Engine.
  • Cloud DLP (Sensitive Data Protection)
    • to handle sensitive data esp. redaction of PII data. Rebranded as Sensitive Data Protection.
  • Security Command Center (SCC)
    • Centralized security and risk management platform for Google Cloud resources.
    • Provides asset discovery, threat detection, and compliance monitoring.
  • Cloud Armor
    • DDoS protection and WAF (Web Application Firewall) for applications behind Load Balancers.
  • VPC Service Controls
    • Creates security perimeters around Google Cloud resources to prevent data exfiltration.
  • PCI-DSS compliant
    • GCP services are PCI-DSS compliant, however you need to make sure for the applications and hosting to be inline with PCI-DSS requirements
  • Same concept as PCI-DSS applies to GDPR as well

Google Cloud Well-Architected Framework (NEW for PCA v6.1)

  • The Well-Architected Framework is now required knowledge for the PCA exam.
  • Understand the six pillars:
    • Operational Excellence — monitoring, incident management, deployment practices
    • Security, Privacy, and Compliance — identity, data protection, network security
    • Reliability — high availability, disaster recovery, fault tolerance
    • Cost Optimization — resource efficiency, committed use discounts, rightsizing
    • Performance Optimization — scaling, caching, optimizing resources
    • Sustainability — efficient use of resources, carbon-aware workloads
  • Includes an AI and ML perspective covering design principles for AI workloads on Google Cloud.

Other Services

  • Know various data transfer options
  • Storage Transfer Service
    • allows import of large amounts of online data into Google Cloud Storage, quickly and cost-effectively.
    • Online data is the key here as it supports AWS S3, Azure Blob Storage, HTTP/HTTPS and other GCS buckets.
    • for on-premises data you can use the Storage Transfer Service agent or gsutil command
  • Transfer Appliance
    • to transfer large amounts of data quickly and cost-effectively into Google Cloud Platform.
    • Check for the data size and it would be always compared with Storage Transfer Service or gsutil commands.

Case Studies

  • The PCA exam was updated in October 2025 with new case studies. The current case studies are:
    • EHR Healthcare — electronic health record provider migrating to Google Cloud for scalability and disaster recovery
    • Altostrat Media — media company with AI integration requirements
    • Cymbal Retail — online retailer modernizing operations with conversational commerce and AI
    • KnightMotives Automotive — automotive company with AI-driven use cases
  • All new case studies emphasize AI/ML integration in architecture decisions.
  • Note: The previous case studies (Mountkirk Games, Dress4Win, TerramEarth) are no longer part of the exam.

AWS Certified SysOps Administrator – Associate (SOA-C01) Exam Learning Path

AWS Certified SysOps Administrator – Associate (SOA-C01) Exam Learning Path

⚠️ EXAM RETIRED – SOA-C01 No Longer Available

The AWS Certified SysOps Administrator – Associate (SOA-C01) exam has been retired. It was replaced by the SOA-C02 exam, which itself was retired on September 29, 2025.

The current exam is now the AWS Certified CloudOps Engineer – Associate (SOA-C03), launched on September 30, 2025.

Recommended Next Steps:

This content is maintained for historical reference only. If you are preparing for certification, please use the SOA-C03 exam resources.

AWS Certified SysOps Administrator – Associate (SOA-C01) exam was the AWS associate-level operations exam that validated the ability to:

  • Deploy, manage, and operate scalable, highly available, and fault tolerant systems on AWS
  • Implement and control the flow of data to and from AWS
  • Select the appropriate AWS service based on compute, data, or security requirements
  • Identify appropriate use of AWS operational best practices
  • Estimate AWS usage costs and identify operational cost control mechanisms
  • Migrate on-premises workloads to AWS

Refer AWS Certified SysOps – Associate Exam Guide Sep 18

AWS Certified SysOps Administrator - Associate Content Outline

AWS Certified SysOps Administrator – Associate (SOA-C01) Exam Summary

  • AWS Certified SysOps Administrator – Associate exam was quite different from the previous one with more focus on the error handling, deployment, monitoring.
  • AWS Certified SysOps Administrator – Associate exam covered a lot of AWS services like ALB, Lambda, AWS Config, AWS Inspector, AWS Shield while focusing majorly on other services like CloudWatch, Metrics from various services, CloudTrail.
  • Be sure to cover the following topics
    • Monitoring & Management Tools
      • Understand CloudWatch monitoring to provide operational transparency
        • Know which EC2 metrics it can track (disk, network, CPU, status checks) and which would need custom metrics (memory, disk swap, disk storage etc.)
        • Know ELB monitoring
          • Classic Load Balancer metrics SurgeQueueLength and SpilloverCount
          • Reasons for 4XX and 5XX errors
      • Understand CloudTrail for audit and governance
      • Understand AWS Config and its use cases
      • Understand AWS Systems Manager and its various services like parameter store, patch manager
      • Understand AWS Trusted Advisor and what it provides
      • Very important to understand AWS CloudWatch vs AWS CloudTrail vs AWS Config
      • Very important to understand Trust Advisor vs Systems manager vs Inspector
      • Know Personal Health Dashboard & Service Health Dashboard
      • Deployment tools
        • Know AWS OpsWorks and its ability to support chef & puppet
        • Know Elastic Beanstalk and its advantages
        • Understand AWS CloudFormation
          • Know stacks, templates, nested stacks
          • Know how to wait for resources setup to be completed before proceeding esp. cfn-signal
          • Know how to retain resources (RDS, S3), prevent rollback in case of a failure
    • Networking & Content Delivery
      • Understand VPC in depth
        • Understand the difference between
          • Bastion host – allow access to instances in private subnet
          • NAT – route traffic from private subnets to internet
          • NAT instance vs NAT Gateway
          • Internet Gateway – Access to internet
          • Virtual Private Gateway – Connectivity between on-premises and VPC
          • Egress-Only Internet Gateway – relevant to IPv6 only to allow egress traffic from private subnet to internet, without allowing ingress traffic
        • Understand
        • Understand how VPC Peering works and limitations
        • Understand VPC Endpoints and supported services
        • Ability to debug networking issues like EC2 not accessible, EC2 instances not reachable, Instances in subnets not able to communicate with others or Internet.
      • Understand Route 53 and Routing Policies and their use cases
        • Focus on Weighted, Latency routing policies
      • Understand VPN and Direct Connect and their use cases
      • Understand CloudFront and use cases
      • Understand ELB, ALB and NLB and what features they provide like
        • ALB provides content and path routing
        • NLB provides ability to give static IPs to load balancer.
    • Compute
      • Understand EC2 in depth
        • Understand EC2 instance types
        • Understand EC2 purchase options esp. spot instances and improved reserved instances options.
        • Understand how IO Credits work and T2 burstable performance and T2 unlimited
        • Understand EC2 Metadata & Userdata. Whats the use of each? How to look up instance data after it is launched.
        • Understand EC2 Security.
          • How IAM Role work with EC2 instances
          • IAM Role can now be attached to stopped and runnings instances
        • Understand AMIs and remember they are regional and how can they be shared with others.
        • Troubleshoot issues with launching EC2 esp. RequestLimitExceeded, InstanceLimitExceeded etc.
        • Troubleshoot connectivity, lost ssh keys issues
      • Understand Auto Scaling
      • Understand Lambda and its use cases
      • Understand Lambda with API Gateway
    • Storage
    • Databases
    • Security
      • Understand IAM as a whole
      • Understand KMS for key management and envelope encryption
      • Understand CloudHSM and KMS vs CloudHSM esp. support for symmetric and asymmetric keys
      • Know AWS Inspector and its use cases
      • Know AWS GuardDuty as managed threat detection service. Will help eliminate as the option
      • Know AWS Shield esp. the Shield Advanced option and the features it provides
      • Know WAF as Web Traffic Firewall
      • Know AWS Artifact as on-demand access to compliance reports
    • Integration Tools
      • Understand SQS as message queuing service and SNS as pub/sub notification service
        • Focus on SQS as a decoupling service
        • Understand SQS FIFO, make sure you know the differences between standard and FIFO
      • Understand CloudWatch integration with SNS for notification
    • Cost management

AWS Certified SysOps Administrator – Associate (SOA-C01) Exam Resources

📌 Note: The resources below were relevant for the retired SOA-C01 exam. For current certification preparation, refer to:

AWS Cloud Computing Whitepapers

AWS Certified SysOps Administrator – Associate (SOA-C01) Exam Contents

Domain 1: Monitoring and Reporting

  1. Create and maintain metrics and alarms utilizing AWS monitoring services
  2. Recognize and differentiate performance and availability metrics
  3. Perform the steps necessary to remediate based on performance and availability metrics

Domain 2: High Availability

  1. Implement scalability and elasticity based on use case
  2. Recognize and differentiate highly available and resilient environments on AWS

Domain 3: Deployment and Provisioning

  1. Identify and execute steps required to provision cloud resources
  2. Identify and remediate deployment issues

Domain 4: Storage and Data Management

  1. Create and manage data retention
  2. Identify and implement data protection, encryption, and capacity planning needs

Domain 5: Security and Compliance

  1. Implement and manage security policies on AWS
  2. Implement access controls when using AWS
  3. Differentiate between the roles and responsibility within the shared responsibility model

Domain 6: Networking

  1. Apply AWS networking features
  2. Implement connectivity services of AWS
  3. Gather and interpret relevant information for network troubleshooting

Domain 7: Automation and Optimization

  1. Use AWS services and features to manage and assess resource utilization
  2. Employ cost-optimization strategies for efficient resource utilization
  3. Automate manual or repeatable process to minimize management overhead

Exam Evolution: SOA-C01 → SOA-C02 → SOA-C03 (CloudOps Engineer)

The AWS SysOps Administrator certification has gone through significant evolution:

  • SOA-C01 (2018-2021) – Original version covered in this post. Focused on traditional operations with 7 domains.
  • SOA-C02 (2021-2025) – Added hands-on exam labs, introduced automation focus, reduced to 6 domains. Retired September 29, 2025.
  • SOA-C03 / AWS Certified CloudOps Engineer – Associate (2025-present) – Current exam. Rebranded to reflect modern cloud operations. Added containers (ECS, EKS, ECR), multi-account architectures, and expanded automation coverage. 5 domains with new question types (ordering, matching, case studies).

SOA-C03 Exam Domains (Current)

Domain Weight
Monitoring, Logging, Analysis, Remediation & Performance Optimization 22%
Reliability and Business Continuity 22%
Deployment, Provisioning, and Automation 22%
Networking and Content Delivery 18%
Security and Compliance 16%

Key additions in SOA-C03 compared to SOA-C01:

  • Container Operations – Amazon ECS, EKS, ECR, Fargate
  • Multi-Account Architecture – AWS Organizations, Service Control Policies (SCPs), AWS Control Tower
  • Modern Automation – AWS CDK, EventBridge, expanded Systems Manager capabilities
  • Cost Optimization – Compute Optimizer, AWS Budgets actions, Savings Plans
  • Enhanced Security – Security Hub, AWS Backup, Secrets Manager rotation

For the current exam preparation, refer to the official AWS CloudOps Engineer certification page.

AWS Certified Developer – Associate DVA-C01 Exam Learning Path

AWS Certified Developer – Associate DVA-C01 Exam Learning Path

⚠️ EXAM RETIRED — DVA-C01 No Longer Available

The AWS Certified Developer – Associate DVA-C01 exam was retired on February 27, 2023.

It has been replaced by the DVA-C02 exam. This content is maintained for historical reference only.

👉 For the current exam, see: AWS Certified Developer – Associate DVA-C02 Exam Learning Path

Key DVA-C02 Changes vs DVA-C01:

  • Domain restructuring — 4 domains: Development with AWS Services (32%), Security (26%), Deployment (24%), Troubleshooting & Optimization (18%)
  • More hands-on focus — Emphasis on writing, testing, deploying, and debugging code
  • New services — Amazon Q Developer, EventBridge, Step Functions, AppSync, CDK
  • AI-assisted development — Amazon Q Developer added in December 2024 revision
  • Removed focus — Less emphasis on architecture design, more on CI/CD workflows

AWS Certified Developer – Associate DVA-C01 exam was the AWS exam version available from June 2018 to February 2023 and has been replaced by the DVA-C02 exam. It validated:

  • Demonstrate an understanding of core AWS services, uses, and basic AWS architecture best practices.
  • Demonstrate proficiency in developing, deploying, and debugging cloud-based applications using AWS.

Refer AWS Certified Developer – Associate (Released June 2018) Exam Blue Print

AWS Certified Developer - Associate June 2018 Domains

AWS Certified Developer – Associate DVA-C01 Summary

  • AWS Certified Developer – Associate DVA-C01 exam was quite different from the previous one with more focus on the hands-on development and deployment concepts rather than just the architectural concepts
  • AWS Certified Developer – Associate DVA-C01 exam covered a lot of AWS services like Lambda, X-Ray while focusing majorly on other services like DynamoDB, Elastic Beanstalk, S3, EC2
  • Note: DVA-C01 was retired on Feb 27, 2023. For current exam preparation, refer to the DVA-C02 Learning Path

AWS Developer – Associate Exam Resources (Updated for DVA-C02)

AWS Developer – Associate DVA-C01 Exam Topics

  • Be sure to cover the following topics
    • Compute
      • Understand what AWS services you can use to build a serverless architecture?
      • Make sure you know and understand Lambda and serverless architecture, its features and use cases.
      • Know Lambda limits for e.g. execution time, deployable zipped and unzipped package limit
      • Be sure to know how to deploy, package using Lambda.
      • Understand tracing of Lambda functions using X-Ray
      • Understand integration of Lambda with CloudWatch.
      • Understand how to handle multiple releases using Alias
      • Know AWS Step Functions to manage Lambda functions flow
      • Understand Lambda with API Gateway
      • Understand API Gateway stages, ability to cater to different environments for e.g. dev, test, prod
      • Understand EC2 as a whole
      • Understand EC2 Metadata & Userdata. Whats the use of each? How to look up instance data after it is launched.
      • Understand EC2 Security. How IAM Role work with EC2 instances.
      • Understand how does EC2 evaluates the order of credentials, when multiple are provided. Remember the order – Environment variables -> Java system properties -> Default credential profiles file -> ECS container credentials -> Instance Profile credentials
      • Know Elastic Beanstalk at a high level, what it provides and its ability to get an application running quickly
      • Understand Elastic Beanstalk configurations and deployment types with their advantages and disadvantages
    • Databases
      • Understand relational and NoSQLs data storage options which include RDS, DynamoDB and their use cases
      • Understand DynamoDB Secondary Indexes
      • Make sure you understand DynamoDB provisioned throughput for Read/Writes and its calculations
      • Make sure you understand DynamoDB Consistency Model – difference between Strongly Consistent and Eventual Consistency
      • Understand DynamoDB with its low latency performance, DAX
      • Know how to configure fine grained security for DynamoDB table, items, attributes
      • Understand DynamoDB Best Practices regarding
        • table design
        • provisioned throughput
        • Query vs Scan operations
        • improving Scan operation performance
      • Understand RDS features – Read Replicas for scalability, Multi-AZ for High Availability
      • Know ElastiCache use cases, mainly for caching performance
      • Understand ElastiCache Redis vs Memcached
    • Storage
      • Understand S3 storage option
      • Understand S3 Best Practices to improve performance for GET/PUT requests
      • Understand S3 features like different storage classes with lifecycle policies, static website hosting, versioning, Pre-Signed URLs for both upload and download, CORS
    • Security
      • Understand IAM as a whole
      • Focus on IAM role and its use case especially with EC2 instance
      • Know how to test and validate IAM policies
      • Understand IAM identity providers and federation and use cases
      • Understand how AWS Cognito works and what features it provides
      • Understand MFA and How would implement two factor authentication for your application
      • Understand KMS for key management and envelope encryption
      • Know what services support KMS
        • Remember SQS, Kinesis now provides SSE support
      • Focus on S3 with SSE, SSE-C, SSE-KMS. How they work and differ?
      • Know how can you enforce only buckets to only accept encrypted objects
      • Know various KMS encryption options encrypt, reencrypt, generateEncryptedDataKey etc
      • Know how KMS impacts the performance of the services
    • Management Tools
      • Understand CloudWatch monitoring to provide operational transparency
      • Know which EC2 metrics it can track.
      • Understand CloudWatch is extendable with custom metrics
      • Understand CloudTrail for Audit
    • Integration Tools
      • Understand SQS as message queuing service and SNS as pub/sub notification service
      • Understand SQS features like visibility, long poll vs short poll
      • Focus on SQS as a decoupling service
      • AWS has released SQS FIFO, make sure you know the differences between standard and FIFO
      • Know the different development and deployment tools like CodeCommit, CodeBuild, CodeDeploy, CodePipeline
    • Networking
      • Does not cover much on networking or designing of networks, but be sure you understand VPC, Subnets, Routes, Security Groups etc.

AWS Cloud Computing Whitepapers

AWS Certified Developer – Associate DVA-C01 Exam Contents

Note: These domains are specific to the retired DVA-C01 exam. The current DVA-C02 exam has different domain structure and weightings. See the DVA-C02 Learning Path for current exam domains.

Domain 1: Deployment

  1. Deploy written code in AWS using existing CI/CD pipelines, processes, and patterns.
  1. Deploy applications using Elastic Beanstalk.
  1. Prepare the application deployment package to be deployed to AWS.
  2. Deploy serverless applications.

Domain 2: Security

  1. Make authenticated calls to AWS services.
  1. Implement encryption using AWS services.
  2. Implement application authentication and authorization.

Domain 3: Development with AWS Services

  1. Write code for serverless applications.
  1. Translate functional requirements into application design.
  1. Implement application design into application code.
  2. Write code that interacts with AWS services by using APIs, SDKs, and AWS CLI.

Domain 4: Refactoring

  1. Optimize application to best use AWS services and features.
  2. Migrate existing application code to run on AWS.

Domain 5: Monitoring and Troubleshooting

  1. Write code that can be monitored.
  2. Perform root cause analysis on faults found in testing or production.

DVA-C01 vs DVA-C02 — Key Differences

If you studied for DVA-C01 and need to understand what changed for DVA-C02:

  • Domain restructuring: DVA-C01 had 5 domains; DVA-C02 has 4 domains with different weightings
  • Refactoring domain removed: Merged into Development and Troubleshooting domains
  • More Lambda focus: Lambda gets its own dedicated task in DVA-C02
  • CI/CD emphasis: Greater focus on CodePipeline, CodeBuild, CodeDeploy, and CDK
  • New services added: EventBridge, AppSync, Step Functions, CDK, Amazon Q Developer
  • Services de-emphasized: Less focus on Elastic Beanstalk, more on containers (ECS/EKS)
  • Security weight increased: Security is now 26% of the exam (was 12% in DVA-C01)
  • AI-assisted development: December 2024 revision added Amazon Q Developer skills

For full DVA-C02 preparation guidance, visit the AWS Certified Developer – Associate DVA-C02 Exam Learning Path.

AWS Certified Solutions Architect – Associate SAA-C01 Exam Learning Path (Obsolete)

AWS Certified Solutions Architect – Associate SAA-C01 Exam Learning Path (Retired)

⚠️ EXAM RETIRED — SAA-C01 is No Longer Available

AWS Solutions Architect – Associate SAA-C01 was retired in 2020. It was succeeded by SAA-C02 (also retired August 29, 2022), and then by the current SAA-C03 exam.

This content is maintained for historical reference only. You cannot register for or take the SAA-C01 exam.

Current Exam:

What Changed (SAA-C01 → SAA-C03):

  • Greater focus on AWS Well-Architected Framework pillars
  • New services added: AWS Organizations, Control Tower, Lake Formation, EventBridge, Step Functions, EKS, Fargate, and more
  • Expanded security and governance coverage
  • More emphasis on hybrid cloud and migration strategies
  • Updated to reflect current AWS service landscape (2022+)

AWS Solutions Architect – Associate SAA-C01 Exam Summary (Historical)

AWS Solutions Architect – Associate SAA-C01 validated the ability to effectively demonstrate knowledge of how to architect and deploy secure and robust applications on AWS technologies:

  • Define a solution using architectural design principles based on customer requirements.
  • Provide implementation guidance based on best practices to the organization throughout the life cycle of the project.

The SAA-C01 exam focused on building scalable, highly available, cost-effective, performant, resilient, and operationally effective architectures across the following topic areas:

  • Be sure to cover the following topics
    • Networking
      • Be sure to create VPC from scratch. This is mandatory.
        • Create VPC and understand what’s a CIDR.
        • Create public and private subnets, configure proper routes, security groups, NACLs.
        • Create Bastion for communication with instances
        • Create NAT Gateway or Instances for instances in private subnets to interact with internet
        • Create two tier architecture with application in public and database in private subnets
        • Create three tier architecture with web servers in public, application and database servers in private.
        • Make sure to understand how the communication happens between Internet, Public subnets, Private subnets, NAT, Bastion etc.
      • Understand VPC endpoints and what services it can help interact
      • Understand difference between NAT Gateway and NAT Instance
      • Understand how NAT high availability can be achieved
      • Understand CloudFront as CDN and the static and dynamic caching it provides, what can be its origin (it can point to on-premises sources)
      • Understand Route 53 for routing, health checks and various routing policies it provides and their use cases mainly for high availability
      • Be sure to cover ELB in deep. AWS has introduced ALB and NLB and there are lot of questions on ALB
      • Understand ALB features with its ability for content based and URL based routing with support for dynamic port mapping with ECS
    • Storage
      • Understand various storage options S3, EBS, Instance store, EFS, Glacier and what are the use cases and anti patterns for each
      • Understand various EBS volume types and their use cases in terms of IOPS and throughput. SSD for IOPS and HDD for throughput
      • Understand Burst performance and I/O credits to handle occasional peaks
      • Understand S3 features like different storage classes with lifecycle policies, static website hosting, versioning, Pre-Signed URLs for both upload and download, CORS
      • Understand Glacier as an archival storage with various retrieval patterns
      • Understand Storage gateway and its different types
    • Compute
      • Understand EC2 as a whole
      • Understand Auto Scaling and ELB, how they work together to provide High Available and Scalable solution
      • Understand EC2 various purchase types – Reserved, On-demand and Spot and their use cases
      • Understand Lambda and serverless architecture, its features and use cases
      • Understand ECS with its ability to deploy containers and micro services architecture
      • Know Elastic Beanstalk at a high level, what it provides and its ability to get an application running quickly
    • Databases
    • Analytics
      • Understand Redshift as a data warehousing tool
      • Know Kinesis for real time data capture and analytics
    • Security
    • Management Tools
      • Understand CloudWatch monitoring to provide operational transparency
      • Know which EC2 metrics it can track. Remember, it cannot track memory and disk space/swap utilization
      • Understand CloudWatch is extendable with custom metrics
      • Understand CloudTrail for Audit
    • Integration Tools
      • Understand SQS as message queuing service and SNS as pub/sub notification service
      • Understand SQS features like visibility, long poll vs short poll
      • Focus on SQS as a decoupling service
      • Understand SQS FIFO and the differences between standard and FIFO

AWS Solutions Architect – Associate SAA-C01 Exam Resources (Archived)

Note: The resources below were relevant for the SAA-C01 exam (retired 2020). For current SAA-C03 study resources, visit the SAA-C03 Learning Path.

  • Online Courses (Historical)
  • General Preparation Tips (Still Valid)
    • Sign up with AWS for the Free Tier account which provides a lot of services to try for free
    • Read the FAQs for important topics, as they cover key points and are good for quick review

AWS Cloud Computing Whitepapers (Still Relevant)

AWS Solutions Architect – Associate SAA-C01 Exam Domains (Historical)

Domain 1: Design Resilient Architectures

  1. Choose reliable/resilient storage.
  2. Determine how to design decoupling mechanisms using AWS services.
  3. Determine how to design a multi-tier architecture solution.
  4. Determine how to design high availability and/or fault tolerant architectures.

Domain 2: Define Performant Architectures

  1. Choose performant storage and databases.
  2. Apply caching to improve performance.
  3. Design solutions for elasticity and scalability.

Domain 3: Specify Secure Applications and Architectures

  1. Determine how to secure application tiers.
  2. Determine how to secure data.
  3. Define the networking infrastructure for a single VPC application.

Domain 4: Design Cost-Optimized Architectures

  1. Determine how to design cost-optimized storage.
  2. Determine how to design cost-optimized compute.

Domain 5: Define Operationally-Excellent Architectures

  1. Choose design features in solutions that enable operational excellence.

Related Posts

AWS Services Overview – Whitepaper – Certification

AWS Services Overview

AWS consists of many cloud services that can be used in combinations tailored to meet business or organizational needs. This section introduces the major AWS services by category.


NOTE – This post provides a brief overview of AWS services. It is a good introduction to start all certifications. However, it is most relevant and important for the AWS Cloud Practitioner Certification Exam.

Last updated: June 2026. Reflects current AWS service names, deprecations, and new services launched through 2024-2026.


Common Features

  • Almost all features can be access-controlled through AWS Identity and Access Management (IAM)
  • Services managed by AWS are all made Scalable and Highly Available, without any changes needed from the user
  • Most services support encryption at rest and in transit by default

AWS Access

AWS allows accessing its services through unified tools using

  • AWS Management Console – a simple and intuitive user interface
  • AWS Command Line Interface (CLI) – programmatic access through scripts
  • AWS Software Development Kits (SDKs) – programmatic access through Application Program Interface (API) tailored for programming languages (Java, .NET, Node.js, PHP, Python, Ruby, Go, C++, Rust, Kotlin, Swift) or platforms (Android, Browser, iOS)
  • AWS CloudShell – a browser-based shell environment pre-authenticated with console credentials
  • Infrastructure as Code (IaC) – AWS CloudFormation, AWS CDK, or Terraform for declarative resource provisioning

Security, Identity, and Compliance

AWS Identity and Access Management (IAM)

  • enables you to securely control access to AWS services and resources for the users.
  • allows creation of AWS users, groups and roles, and use permissions to allow and deny their access to AWS resources
  • helps manage IAM users and their access with individual security credentials like access keys, passwords, and multi-factor authentication devices, or request temporary security credentials
  • helps role creation & manage permissions to control which operations can be performed by which entity, or AWS service, that assumes the role
  • enables identity federation to allow existing identities in the enterprise to access AWS without the need to create an IAM user for each identity.
  • IAM Identity Center (formerly AWS SSO) provides centralized workforce identity management and single sign-on access to multiple AWS accounts and applications.

Amazon Inspector

  • is an automated vulnerability management service that continually scans workloads for software vulnerabilities and unintended network exposure.
  • automatically discovers and scans EC2 instances, container images in Amazon ECR, and AWS Lambda functions.
  • supports both agent-based and agentless scanning for EC2 instances.
  • produces a detailed list of security findings prioritized by a contextualized risk score that correlates CVE information with network access and exploitability factors.
  • integrates with AWS Security Hub for centralized findings management.

AWS Certificate Manager

  • helps provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services like ELB, CloudFront, and API Gateway
  • removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.

AWS CloudHSM

  • helps meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS Cloud.
  • allows protection of encryption keys within HSMs, designed and validated to government standards for secure key management.
  • helps comply with strict key management requirements without sacrificing application performance.

AWS Directory Service

  • provides Microsoft Active Directory (Enterprise Edition), also known as AWS Managed Microsoft AD, that enables directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud.

AWS Key Management Service (KMS)

  • is a managed service that makes it easy to create and control the encryption keys used to encrypt your data.
  • uses HSMs to protect the security of your keys.
  • integrates with most AWS services for seamless encryption of data at rest.

AWS Organizations

  • allows creation of AWS account groups, to more easily manage security and automation settings collectively
  • helps centrally manage multiple accounts to help scale.
  • helps control which AWS services are available to individual accounts using Service Control Policies (SCPs), automate new account creation, and simplify billing.

AWS Shield

  • is a managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS.
  • provides always-on detection and automatic inline mitigations that minimize application downtime and latency.
  • provides two tiers: Shield Standard (free, automatic) and Shield Advanced (paid, enhanced protection with 24/7 DDoS Response Team access).

AWS WAF

  • is a web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
  • gives complete control over which traffic to allow or block to web application by defining customizable web security rules.
  • integrates with CloudFront, Application Load Balancer, API Gateway, and AWS AppSync.

Amazon GuardDuty

  • is a threat detection service that continuously monitors AWS accounts, workloads, and data for malicious activity and anomalous behavior.
  • analyzes events from AWS CloudTrail, VPC Flow Logs, DNS logs, and other sources using machine learning and threat intelligence.
  • provides actionable security findings with severity levels for prioritized response.

Amazon Macie

  • is a data security service that discovers sensitive data using machine learning and pattern matching.
  • automatically discovers and protects sensitive data stored in Amazon S3, such as personally identifiable information (PII) and financial data.
  • provides visibility into data security risks and enables automated protection.

AWS Security Hub

  • provides a comprehensive view of your security posture across AWS accounts.
  • aggregates, organizes, and prioritizes security findings from multiple AWS services (GuardDuty, Inspector, Macie) and AWS Partner solutions.
  • automates security checks against best practices and industry standards.

Amazon Security Lake

  • automatically centralizes security data from AWS environments, SaaS providers, and on-premises sources into a purpose-built data lake.
  • normalizes data using the Open Cybersecurity Schema Framework (OCSF) for easier analysis.
  • stores data in your account using S3, giving you full control and ownership.

AWS Compute Services

Amazon Elastic Compute Cloud (EC2)

  • provides secure, resizable compute capacity
  • provides complete control of the computing resources (root access, ability to start, stop, terminate instances etc.)
  • reduces the time required to obtain and boot new instances to minutes
  • allows quick scaling of capacity, both up and down, as computing requirements change
  • provides developers and sysadmins tools to build failure-resilient applications and isolate themselves from common failure scenarios.
  • Benefits
    • Elastic Web-Scale Computing – enables scaling to increase or decrease capacity within minutes.
    • Flexible Cloud Hosting Services – flexibility to choose from multiple instance types (including AWS Graviton-based ARM instances for better price-performance), operating systems, and software packages.
    • Reliable – offers a highly reliable environment where replacement instances can be rapidly commissioned. EC2 SLA commitment is 99.99% availability for each Region.
    • Secure – works in conjunction with VPC to provide security and robust networking functionality. Allows control of IP address, exposure to Internet (using subnets), inbound and outbound access (using Security groups and NACLs).
    • Inexpensive – pay only for the capacity actually used
  • EC2 Purchasing Options
    • On-Demand Instances – pay for compute capacity by the hour or second with no long-term commitments.
    • Savings Plans – flexible pricing model offering up to 72% savings in exchange for a commitment to a consistent amount of usage (measured in $/hour) for a 1 or 3-year term. Available as Compute Savings Plans or EC2 Instance Savings Plans.
    • Reserved Instances – provides significant discount (up to 72%) compared to On-Demand pricing for a 1 or 3-year commitment to a specific instance type.
    • Spot Instances – allows use of spare EC2 computing capacity at up to 90% discount compared to On-Demand pricing. Instances can be interrupted by AWS with a 2-minute warning.
    • Dedicated Instances – run on hardware dedicated to a single customer for additional isolation.
    • Dedicated Hosts – physical servers with EC2 instance capacity fully dedicated to your use, allowing use of existing server-bound software licenses.

Amazon Elastic Container Service (ECS)

  • is a fully managed container orchestration service that supports Docker containers.
  • allows running applications on a managed cluster of EC2 instances or serverlessly with AWS Fargate.
  • eliminates the need to install, operate, and scale cluster management infrastructure.
  • can schedule the placement of containers across the cluster based on resource needs and availability requirements.
  • integrates with Elastic Load Balancing, VPC, IAM, CloudWatch, and other AWS services.

Amazon Elastic Kubernetes Service (EKS)

  • is a managed Kubernetes service that makes it easy to run Kubernetes on AWS without needing to install and operate your own Kubernetes control plane.
  • runs upstream Kubernetes, ensuring compatibility with existing Kubernetes applications and tools.
  • automatically manages the availability and scalability of the Kubernetes control plane nodes.
  • supports running pods on EC2 instances, AWS Fargate (serverless), or on-premises with EKS Anywhere.
  • EKS Auto Mode automatically provisions and manages compute, networking, and storage for Kubernetes clusters.

Amazon Elastic Container Registry (ECR)

  • is a fully managed Docker container registry that makes it easy to store, manage, and deploy Docker container images.
  • is integrated with Amazon ECS and EKS, simplifying development to production workflow.
  • eliminates the need to operate container repositories or worry about scaling the underlying infrastructure.
  • supports OCI images and artifacts, private and public repositories.

AWS Fargate

  • is a serverless compute engine for containers that works with both Amazon ECS and Amazon EKS.
  • removes the need to provision, configure, or scale clusters of virtual machines to run containers.
  • allocates the right amount of compute resources, eliminating the need to choose instance types or manage scaling.
  • each task or pod runs in its own isolated environment for workload isolation by design.

Amazon Lightsail

  • is designed to be the easiest way to launch and manage a virtual private server with AWS.
  • plans include everything needed to jumpstart a project – a virtual machine, SSD-based storage, data transfer, DNS management, and a static IP address – for a low, predictable price.

AWS Batch

  • enables developers, scientists, and engineers to easily and efficiently run hundreds of thousands of batch computing jobs on AWS.
  • dynamically provisions the optimal quantity and type of compute resources based on the volume and specific resource requirements of the batch jobs submitted.
  • plans, schedules, and executes the batch computing workloads across the full range of AWS compute services and features.

AWS Elastic Beanstalk

  • is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.
  • automatically handles the deployment, from capacity provisioning, load balancing, and auto scaling to application health monitoring.
  • provides full control over the AWS resources with access to the underlying resources at any time.

AWS Lambda

  • enables running code without provisioning or managing servers, with automatic scaling for high availability.
  • pay only for the compute time consumed – there is no charge when the code is not running.
  • can be triggered from other AWS services or called directly from any web or mobile app.
  • supports container images up to 10 GB, up to 10 GB of memory, and execution durations up to 15 minutes.
  • supports multiple runtimes including Node.js, Python, Java, .NET, Go, Ruby, and custom runtimes.

AWS App Runner

  • is a fully managed service for building, deploying, and running containerized web applications and APIs at scale.
  • automatically builds and deploys from source code or container images with no infrastructure management required.
  • handles load balancing, scaling, and TLS certificate management automatically.

Auto Scaling

  • helps maintain application availability
  • allows scaling EC2 capacity up or down automatically according to defined conditions or demand spikes to reduce cost
  • helps ensure desired number of EC2 instances are running always
  • AWS Auto Scaling provides unified scaling for multiple resources (EC2, ECS, DynamoDB, Aurora) through scaling plans.
  • supports target tracking, step scaling, and predictive scaling policies.

Storage

Amazon Simple Storage Service (S3)

  • is object storage with a simple web service interface to store and retrieve any amount of data from anywhere on the web.
  • S3 Features
    • Durable – designed for durability of 99.999999999% (11 nines) of objects. Data is redundantly stored across multiple facilities and multiple devices in each facility.
    • Available – designed for up to 99.99% availability (Standard) of objects over a given year.
    • Scalable – can store virtually unlimited data
    • Secure – supports data in transit over SSL and data at rest encryption. Bucket policies, ACLs, and IAM can manage object permissions. S3 Block Public Access provides account-level settings to prevent unintended public access.
    • Storage Classes – multiple classes for different use cases:
      • S3 Standard – frequently accessed data
      • S3 Intelligent-Tiering – automatically moves data between access tiers based on usage patterns
      • S3 Standard-IA – infrequently accessed data
      • S3 One Zone-IA – infrequently accessed, single-AZ
      • S3 Glacier Instant Retrieval – archive with millisecond retrieval
      • S3 Glacier Flexible Retrieval (formerly Glacier) – archive with minutes to hours retrieval
      • S3 Glacier Deep Archive – lowest-cost archive with 12-48 hour retrieval
    • Lifecycle Policies – automatically transition data between storage classes

Amazon Elastic Block Store (EBS)

  • provides persistent block storage volumes for use with EC2 instances
  • offers the consistent and low-latency performance needed to run workloads.
  • allows scaling up or down within minutes
  • EBS Features
    • High Performance Volumes – Choose between SSD-backed (gp3, io2 Block Express) or HDD-backed (st1, sc1) volumes for performance needs.
    • Availability – designed for 99.999% availability, automatically replicates within its Availability Zone.
    • Encryption – provides seamless support for data-at-rest and data-in-transit between EC2 instances and EBS volumes.
    • Snapshots – create point-in-time snapshots backed up to S3 for long-term durability. Supports EBS Snapshots Archive for low-cost long-term retention.

Amazon Elastic File System (EFS)

  • provides simple, scalable, elastic file storage for use with AWS compute services and on-premises resources.
  • storage capacity is elastic, growing and shrinking automatically as files are added and removed.
  • works in shared mode, where multiple compute instances can access an EFS file system at the same time (NFS protocol).
  • can be mounted on on-premises servers via AWS Direct Connect or VPN.
  • is designed for high availability and durability across multiple AZs.
  • offers Standard and One Zone storage classes, each with Infrequent Access tiers.

Amazon FSx

  • provides fully managed third-party file systems with native compatibility for various workloads.
  • FSx for Windows File Server – fully managed Windows native file system with SMB protocol support, Active Directory integration.
  • FSx for Lustre – high-performance file system for compute-intensive workloads (ML, HPC, media processing).
  • FSx for NetApp ONTAP – fully managed NetApp ONTAP file system with multi-protocol access.
  • FSx for OpenZFS – fully managed OpenZFS file system for Linux workloads.

AWS Storage Gateway

  • seamlessly enables hybrid storage between on-premises storage environments and the AWS Cloud
  • combines a multi-protocol storage appliance with highly efficient network connectivity to AWS cloud storage services.
  • provides three gateway types: S3 File Gateway, FSx File Gateway, Volume Gateway, and Tape Gateway.

AWS Backup

  • is a fully managed backup service that centralizes and automates the backup of data across AWS services.
  • supports EC2, EBS, RDS, DynamoDB, EFS, FSx, Storage Gateway, and more.
  • provides a central backup console, backup policies, and cross-Region/cross-account backup capabilities.

Databases

Amazon Aurora

  • is a MySQL and PostgreSQL compatible relational database engine
  • provides the speed and availability of high-end commercial databases with the simplicity and cost-effectiveness of open source databases.
  • Benefits
    • Highly Secure – provides network isolation using VPC, encryption at rest using KMS, and encryption of data in transit using SSL.
    • Highly Scalable – automatically grows storage as needed, up to 128 TB.
    • High Availability and Durability – designed for greater than 99.99% availability. Six copies of data replicated across three AZs. Instance failover typically requires less than 30 seconds.
    • Fully Managed – database management tasks like provisioning, patching, backup, recovery, and failover are automated.
    • Aurora Serverless v2 – automatically scales capacity up and down based on application demand, ideal for variable or unpredictable workloads.

Amazon Relational Database Service (RDS)

  • makes it easy to set up, operate, and scale a relational database
  • provides cost-efficient and resizable capacity while managing time-consuming database administration tasks
  • supports Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle, and Microsoft SQL Server
  • Benefits
    • Fast and Easy to Administer – no need for infrastructure provisioning or database software installation and maintenance.
    • Highly Scalable – allows quick scaling of compute and storage resources. Read Replicas available to offload read traffic.
    • Available and Durable – Multi-AZ deployments synchronously replicate data to a standby instance in a different AZ. Automated backups, snapshots, and automatic host replacement.
    • Secure – network isolation using VPC, encryption at rest with KMS, encryption in transit with SSL.
    • Inexpensive – pay low rates with On-Demand or Reserved Instance pricing.
    • RDS Proxy – a fully managed database proxy that makes applications more scalable and resilient to database failures.

Amazon DynamoDB

  • is a fully managed, serverless, key-value and document NoSQL database designed for single-digit millisecond performance at any scale.
  • supports both document and key-value data models.
  • Benefits
    • Fast, Consistent Performance – designed to deliver consistent, fast performance at any scale using SSD storage and automatic partitioning.
    • Highly Scalable – manages all scaling to achieve specified throughput capacity. Supports on-demand and provisioned capacity modes.
    • Event-Driven Programming – DynamoDB Streams and integration with Lambda enable applications that automatically react to data changes.
    • Global Tables – provides fully managed multi-Region, multi-active replication for globally distributed applications.
    • DAX (DynamoDB Accelerator) – in-memory caching for DynamoDB delivering microsecond read latency.

Amazon ElastiCache

  • is a web service that makes it easy to deploy, operate, and scale an in-memory cache in the cloud.
  • helps improve the performance of web applications by allowing retrieval from fast, managed, in-memory caches instead of slower disk-based databases.
  • supports two open-source in-memory caching engines: Redis (now Valkey-compatible) and Memcached.

Amazon MemoryDB

  • is a durable, Redis/Valkey-compatible, in-memory database service for ultra-fast performance.
  • delivers microsecond reads and single-digit millisecond writes with Multi-AZ durability.
  • can be used as a primary database for applications requiring both high performance and data durability.

Amazon DocumentDB

  • is a fully managed document database service that supports MongoDB workloads.
  • designed for JSON data management at scale with automatic scaling storage.

Amazon Neptune

  • is a fully managed graph database service for building applications that work with highly connected datasets.
  • supports Property Graph and RDF models with Apache TinkerPop Gremlin and SPARQL query languages.

Amazon Keyspaces

  • is a scalable, highly available, and fully managed Apache Cassandra-compatible database service.
  • serverless – pay only for the resources you use and the table automatically scales up and down.

Migration

AWS Application Discovery Service

  • helps plan application migration projects by automatically identifying applications running in on-premises data centers, their associated dependencies, and performance profiles.
  • automatically collects configuration and usage data from servers, storage, and networking equipment.
  • information is retained in encrypted format and can be exported for use with visualization tools or cloud migration solutions.

AWS Database Migration Service (DMS)

  • helps migrate databases to AWS easily and securely
  • source database remains fully operational during the migration, minimizing downtime.
  • supports homogeneous migrations (e.g., Oracle to Oracle) and heterogeneous migrations (e.g., Oracle to Aurora, SQL Server to MySQL).
  • allows streaming data to Redshift, S3, and other targets from supported sources.
  • can also be used for continuous data replication with high availability.
  • AWS Schema Conversion Tool (SCT) helps convert database schemas between different database engines.

AWS Application Migration Service (AWS MGN / AWS Transform MGN)

  • is the recommended service for lift-and-shift (rehost) migrations to AWS, replacing the deprecated AWS Server Migration Service.
  • automates the conversion of source servers (physical, virtual, or cloud) into native Amazon EC2 instances.
  • provides continuous block-level replication, short cutover windows, and automated testing.
  • Note: Previously called AWS Application Migration Service (MGN), now rebranded as AWS Transform MGN (June 2026).

AWS Snow Family

⚠️ Note: The AWS Snow Family is being wound down. As of November 2025, Snowball Edge devices are only available to existing customers. New customers should use AWS DataSync, AWS Data Transfer Terminal, or AWS Partner solutions.

  • AWS Snowball Edge (existing customers only) – a data transfer and edge computing device with on-board storage and compute capabilities. Can move large amounts of data and support local workloads.
  • AWS SnowmobileRetired (March 2024). No longer available.
  • Migration Alternatives:
    • AWS DataSync – online data transfer service for automated transfer between on-premises and AWS storage.
    • AWS Data Transfer Terminal – secure physical location for transferring data to AWS.
    • AWS Transfer Family – fully managed SFTP, FTPS, FTP, and AS2 service for file transfers to S3 or EFS.

Networking and Content Delivery

Amazon Virtual Private Cloud (VPC)

  • helps provision a logically isolated section of the AWS Cloud where AWS resources can be launched in a virtual network that you define.
  • provides complete control over the virtual networking environment, including selection of IP address range, creation of subnets (public and private), and configuration of route tables and network gateways.
  • allows use of both IPv4 and IPv6 for secure and easy access to resources.
  • allows multiple layers of security, including security groups and network access control lists (NACLs).
  • allows creation of VPN connections between corporate data center and VPC.
  • VPC Peering enables private connectivity between VPCs. Transit Gateway provides a hub for connecting multiple VPCs and on-premises networks.

Amazon CloudFront

  • is a global content delivery network (CDN) service that accelerates delivery of websites, APIs, video content, or other web assets.
  • can deliver entire website, including dynamic, static, streaming, and interactive content using a global network of edge locations.
  • requests for content are automatically routed to the nearest edge location for best possible performance.
  • is optimized to work with S3, EC2, ELB, Route 53, and API Gateway as well as non-AWS origin servers.
  • supports edge functions via CloudFront Functions and Lambda@Edge for customizing content at the edge.

Amazon Route 53

  • is a highly available and scalable Domain Name System (DNS) web service.
  • connects user requests to infrastructure running in AWS or outside of AWS.
  • helps configure DNS health checks to route traffic to healthy endpoints.
  • allows traffic management globally through latency-based routing, Geo DNS, geoproximity, weighted round robin, multivalue answer, and IP-based routing – all combinable with DNS Failover.
  • is fully compliant with IPv6 and offers Domain Name Registration service.

AWS Direct Connect

  • makes it easy to establish a dedicated network connection from on-premises to AWS.
  • helps establish private connectivity between AWS and data center, office, or co-location environment.
  • helps increase bandwidth throughput, reduce network costs, and provide a more consistent network experience than Internet-based connections.

Elastic Load Balancing (ELB)

  • automatically distributes incoming application traffic across multiple targets (EC2 instances, containers, IP addresses, Lambda functions).
  • enables greater levels of fault tolerance by seamlessly providing the required amount of load balancing capacity.
  • offers four types of load balancers:
    • Application Load Balancer (ALB) – operates at Layer 7 (HTTP/HTTPS). Routes traffic based on content of the request. Ideal for microservices, container-based architectures, and advanced routing needs.
    • Network Load Balancer (NLB) – operates at Layer 4 (TCP/UDP/TLS). Handles millions of requests per second with ultra-low latency. Ideal for TCP/UDP traffic and extreme performance requirements.
    • Gateway Load Balancer (GWLB) – operates at Layer 3 (IP). Makes it easy to deploy, scale, and manage third-party virtual appliances (firewalls, IDS/IPS). Combines transparent network gateway with load balancing.
    • Classic Load Balancer (CLB) – previous generation, operates at both Layer 4 and Layer 7. Recommended to migrate to ALB or NLB.

AWS Global Accelerator

  • is a networking service that improves the availability and performance of applications by using the AWS global network.
  • provides two static anycast IP addresses that serve as a fixed entry point to applications hosted in one or more AWS Regions.
  • continuously monitors endpoints and instantly routes traffic to the closest healthy endpoint.

AWS PrivateLink

  • provides private connectivity between VPCs, AWS services, and on-premises applications without exposing traffic to the public internet.
  • simplifies security of data shared between cloud-based applications and on-premises services.

Management and Governance

Amazon CloudWatch

  • is a monitoring and observability service for AWS Cloud resources and the applications running on AWS.
  • can collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes in AWS resources.
  • provides CloudWatch Logs, Metrics, Alarms, Dashboards, and Events (now EventBridge) for comprehensive monitoring.
  • supports custom metrics, anomaly detection, and cross-account observability.

AWS CloudFormation

  • allows developers and systems administrators to implement “Infrastructure as Code”
  • provides an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion.
  • handles the order for provisioning AWS services and the subtleties of making those dependencies work.
  • allows applying version control to AWS infrastructure the same way it’s done with software.
  • AWS CDK (Cloud Development Kit) allows defining infrastructure using familiar programming languages (TypeScript, Python, Java, etc.) that synthesize to CloudFormation templates.

AWS CloudTrail

  • records AWS API calls for the account and delivers log files.
  • includes API calls made via the Console, CLI, SDKs, and higher-level AWS services.
  • recorded information includes the identity of the API caller, time, source IP address, request parameters, and response elements.
  • enables security analysis, resource change tracking, compliance auditing, and operational troubleshooting.
  • supports CloudTrail Lake for SQL-based querying and long-term retention of events.

AWS Config

  • provides an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance.
  • provides Config Rules feature that enables creation of rules to automatically check the configuration of AWS resources.
  • helps discover existing and deleted AWS resources, determine overall compliance against rules, and dive into configuration details at any point in time.
  • supports Conformance Packs for packaging multiple Config Rules and remediation actions together.

AWS Systems Manager

  • provides a unified user interface to view operational data from multiple AWS services and automate operational tasks across AWS resources.
  • includes capabilities for patch management, configuration management, session management, parameter store, and run command.
  • helps maintain security and compliance by scanning managed instances for patch compliance and configuration inconsistencies.

AWS Service Catalog

  • allows organizations to create and manage catalogs of IT services approved for use on AWS.
  • helps centrally manage commonly deployed IT services and helps achieve consistent governance and compliance requirements.

AWS Trusted Advisor

  • is an online resource that inspects your AWS environment and provides recommendations across five categories: cost optimization, performance, security, fault tolerance, and service limits.
  • provides real-time guidance to help provision resources following AWS best practices.

AWS Health Dashboard

  • provides alerts and remediation guidance when AWS is experiencing events that might affect you (formerly Personal Health Dashboard).
  • displays relevant information to help manage events in progress and provides proactive notification for scheduled activities.
  • provides a personalized view into the performance and availability of AWS services underlying your resources.

AWS Control Tower

  • provides the easiest way to set up and govern a secure, multi-account AWS environment (landing zone).
  • establishes a well-architected multi-account baseline with guardrails (preventive and detective) for governance.
  • automates account provisioning and applies best practices for identity management, federated access, and logging.

Developer Tools

AWS CodeCommit

  • is a fully managed source control service that hosts secure and highly scalable private Git repositories.
  • ⚠️ Note: CodeCommit is no longer available to new customers (July 2024). Existing customers can continue using it. Consider GitHub, GitLab, or Bitbucket as alternatives.

AWS CodeBuild

  • is a fully managed build service that compiles source code, runs tests, and produces software packages that are ready to deploy.
  • scales continuously and processes multiple builds concurrently.

AWS CodeDeploy

  • is a service that automates code deployments to any instance, including EC2 instances, Lambda functions, ECS services, and on-premises servers.
  • helps rapidly release new features, avoid downtime during deployment, and handles the complexity of updating applications.

AWS CodePipeline

  • is a continuous integration and continuous delivery (CI/CD) service for fast and reliable application and infrastructure updates.
  • builds, tests, and deploys code every time there is a code change, based on defined release process models.

AWS X-Ray

  • helps developers analyze and debug distributed applications in production, such as those built using microservices architectures.
  • provides an end-to-end view of requests as they travel through the application, and shows a map of its underlying components.
  • helps identify and troubleshoot the root cause of performance issues and errors.

Amazon Q Developer

  • is a generative AI-powered assistant for software development (formerly Amazon CodeWhisperer).
  • provides AI-powered code suggestions, security scanning, code transformation, and natural language chat for development tasks.
  • supports multiple IDEs and programming languages.

Messaging and Application Integration

Amazon SQS

  • is a fast, reliable, scalable, fully managed message queuing service.
  • makes it simple and cost-effective to decouple the components of a cloud application.
  • includes Standard queues with high throughput and at-least-once processing, and FIFO queues with exactly-once processing and ordered delivery.

Amazon SNS

  • is a fast, flexible, fully managed pub/sub messaging and mobile notification service.
  • can send notifications to Apple, Google, Windows, and other mobile platforms, email, SMS, HTTP endpoints, SQS queues, and Lambda functions.
  • supports message filtering, FIFO topics, and message archiving.

Amazon SES

  • is a cost-effective, scalable email service for sending transactional email, marketing messages, or any other type of high-quality content.
  • can also receive messages and deliver them to S3, trigger Lambda functions, or publish to SNS.

Amazon EventBridge

  • is a serverless event bus that makes it easy to connect applications using data from your own apps, SaaS apps, and AWS services.
  • delivers a stream of real-time data from event sources and routes that data to targets like Lambda, Step Functions, SQS, and more.
  • replaces CloudWatch Events with additional capabilities including schema registry and third-party integrations.

AWS Step Functions

  • makes it easy to coordinate the components of distributed applications and microservices using visual workflows.
  • automatically triggers and tracks each step, and retries when there are errors.
  • supports Standard Workflows (long-running) and Express Workflows (high-volume, short-duration).

Amazon API Gateway

  • is a fully managed service for creating, publishing, maintaining, monitoring, and securing APIs at any scale.
  • handles traffic management, authorization, access control, monitoring, and API version management.
  • supports REST APIs, HTTP APIs, and WebSocket APIs.

Analytics

Amazon Athena

  • is an interactive query service that helps analyze data in S3 using standard SQL.
  • is serverless – no infrastructure to manage, pay only for queries run.
  • supports querying data in multiple formats including CSV, JSON, ORC, Avro, and Parquet.
  • integrates with AWS Glue Data Catalog for schema management.

Amazon EMR

  • provides a managed big data platform that makes it easy, fast, and cost-effective to process vast amounts of data.
  • supports Apache Spark, Hive, HBase, Presto, Flink, and other popular frameworks.
  • can run on EC2, EKS, or serverlessly with EMR Serverless.
  • handles big data use cases including log analysis, ETL, machine learning, and scientific simulation.

Amazon OpenSearch Service

  • makes it easy to deploy, operate, and scale OpenSearch (and legacy Elasticsearch) for log analytics, full-text search, application monitoring, and more.
  • Note: Renamed from Amazon Elasticsearch Service in September 2021.
  • is a fully managed service delivering real-time search and analytics capabilities along with availability, scalability, and security for production workloads.
  • supports OpenSearch Dashboards (successor to Kibana) for data visualization.

Amazon Kinesis

  • is a platform for streaming data on AWS, offering services to collect, process, and analyze real-time streaming data.
  • offers:
    • Amazon Kinesis Data Streams – enables building custom applications that process or analyze streaming data for specialized needs.
    • Amazon Data Firehose (formerly Kinesis Data Firehose) – easiest way to capture, transform, and load streaming data into S3, Redshift, OpenSearch, and third-party services like Splunk and Snowflake.
    • Amazon Managed Service for Apache Flink (formerly Kinesis Data Analytics) – process and analyze streaming data in real time using Apache Flink.
    • Amazon Kinesis Video Streams – capture, process, and store video streams for analytics and machine learning.

Amazon Redshift

  • provides a fast, fully managed, petabyte-scale cloud data warehouse.
  • uses massively parallel processing (MPP) architecture, parallelizing and distributing SQL operations across nodes.
  • supports Redshift Serverless for running analytics without managing infrastructure.
  • provides Redshift Spectrum to query data directly in S3 without loading it.

Amazon QuickSight

  • is a fast, cloud-powered business intelligence (BI) service for building visualizations, performing ad-hoc analysis, and getting business insights from data.
  • supports ML-powered insights with Amazon Q in QuickSight for natural language querying.

AWS Glue

  • is a serverless data integration service that makes it easy to discover, prepare, move, and integrate data from multiple sources.
  • provides the Glue Data Catalog as a central metadata repository.
  • simplifies and automates data discovery, ETL job authoring, and job scheduling.
  • scales automatically and provisions resources as needed.

AWS Lake Formation

  • makes it easy to set up a secure data lake in days instead of months.
  • provides centralized governance and security for data lake access using fine-grained permissions.

Machine Learning and Artificial Intelligence

Amazon Bedrock

  • is a fully managed service offering access to leading foundation models (FMs) from AI companies (Anthropic, Meta, Mistral, Amazon, and others) through a single API.
  • provides capabilities to build generative AI applications with security, privacy, and responsible AI features.
  • supports use cases like text generation, summarization, image generation, chatbots, and AI agents.
  • offers Bedrock Agents for building autonomous AI agents and Bedrock Knowledge Bases for RAG (Retrieval Augmented Generation).

Amazon SageMaker

  • is a fully managed machine learning service to build, train, and deploy ML models at scale.
  • provides SageMaker Studio as a unified IDE for ML development.
  • supports the entire ML workflow: data preparation, model building, training, tuning, and deployment.
  • includes built-in algorithms, pre-built ML frameworks, and AutoML capabilities.

Amazon Rekognition

  • makes it easy to add image and video analysis to applications using deep learning technology.
  • can identify objects, people, text, scenes, and activities, and detect inappropriate content.

Amazon Comprehend

  • is a natural language processing (NLP) service that uses machine learning to find insights and relationships in text.
  • can identify the language, extract key phrases, sentiment, entities, and topics.

Amazon Lex

  • is a service for building conversational interfaces using voice and text (same technology that powers Alexa).
  • provides automatic speech recognition (ASR) and natural language understanding (NLU).

Amazon Polly

  • is a text-to-speech service that turns text into lifelike speech using deep learning.
  • supports multiple languages and provides a variety of natural-sounding voices.

Amazon Transcribe

  • is an automatic speech recognition (ASR) service that converts speech to text.
  • supports real-time transcription and batch transcription of audio files.

Amazon Translate

  • is a neural machine translation service for fast, high-quality language translation.
  • supports translation between supported languages for applications and content.

Cloud Financial Management

AWS Cost Explorer

  • provides an easy-to-use interface to visualize, understand, and manage AWS costs and usage over time.
  • offers forecasting, savings recommendations, and detailed filtering/grouping of cost data.

AWS Budgets

  • allows setting custom budgets that alert when costs or usage exceed (or are forecasted to exceed) the budgeted amount.
  • supports cost, usage, reservation, and savings plans budgets.

AWS Pricing Calculator

  • helps estimate the cost of using AWS services before deployment.
  • allows creating cost estimates for various architectures and configurations.

Deprecated Services (Historical Reference)

The following services mentioned in the original AWS Overview Whitepaper have been deprecated or discontinued. They are listed here for reference and certification context.

  • Amazon Cloud Directory – No longer open to new customers (November 2025). Alternatives: DynamoDB, Neptune.
  • AWS OpsWorks – Reached End of Life on May 26, 2024. Disabled for all customers. Alternatives: AWS Systems Manager, CloudFormation, CodeDeploy.
  • Amazon Elastic Transcoder – Discontinued November 13, 2025. Replaced by AWS Elemental MediaConvert.
  • AWS Server Migration Service (SMS) – Deprecated. Replaced by AWS Application Migration Service (MGN / Transform MGN).
  • AWS Data Pipeline – No longer available to new customers (July 2024). Alternatives: AWS Glue, Step Functions, Amazon MWAA (Managed Workflows for Apache Airflow).
  • Amazon SWF (Simple Workflow Service) – Still operational but superseded by AWS Step Functions for new workloads.
  • AWS Snowmobile – Retired March 2024. No longer available.
  • Amazon CodeCatalyst – No longer open to new customers (November 2025).

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. Which AWS services belong to the Compute services? Choose 2 answers
    1. Lambda
    2. EC2
    3. S3
    4. EMR
    5. CloudFront
  2. Which AWS service provides low cost storage option for archival and long-term backup?
    1. S3 Glacier
    2. S3 Standard
    3. EBS
    4. CloudFront
  3. Which AWS services belong to the Storage services? Choose 2 answers
    1. EFS
    2. IAM
    3. EMR
    4. S3
    5. CloudFront
  4. A Company allows users to upload videos on its platform. They want to convert the videos to multiple formats supported on multiple devices and platforms. Which AWS service can they leverage for the requirement?
    1. AWS SWF
    2. AWS Video Converter
    3. AWS Elemental MediaConvert
    4. AWS Data Pipeline
  5. Which analytic service helps analyze data in S3 using standard SQL?
    1. Athena
    2. EMR
    3. OpenSearch
    4. Kinesis
  6. What features does AWS’s Route 53 service provide? Choose the 2 correct answers:
    1. Content Caching
    2. Domain Name System (DNS) service
    3. Database Management
    4. Domain Registration
  7. You are trying to organize and import (to AWS) gigabytes of data that are currently structured in JSON-like, name-value documents. What AWS service would best fit your needs?
    1. Lambda
    2. DynamoDB
    3. RDS
    4. Aurora
  8. What AWS database is primarily used to analyze data using standard SQL formatting with compatibility for your existing business intelligence tools? Choose the correct answer:
    1. Redshift
    2. RDS
    3. DynamoDB
    4. ElastiCache
  9. A company wants their application to use pre-configured machine image with software installed and configured. Which AWS feature can help for the same?
    1. Amazon Machine Image (AMI)
    2. AWS CloudFormation
    3. AWS Lambda
    4. AWS Lightsail
  10. What AWS service can be used to track API event calls for security analysis and resource change tracking?
    1. AWS CloudWatch
    2. AWS CloudFormation
    3. AWS CloudTrail
    4. AWS Systems Manager
  11. Which AWS service can help offload the read traffic from your database in order to reduce latency caused by read-heavy workload?
    1. ElastiCache
    2. DynamoDB
    3. S3
    4. EFS
  12. What service allows system administrators to run “Infrastructure as Code”?
    1. CloudFormation
    2. CloudWatch
    3. CloudTrail
    4. CodeDeploy
  13. Which AWS service is a fully managed container orchestration service?
    1. EC2
    2. Amazon ECS
    3. AWS Lambda
    4. Amazon S3
  14. A company wants to run containers without managing servers or clusters. Which AWS service should they use?
    1. Amazon EC2
    2. Amazon EKS on EC2
    3. AWS Fargate
    4. AWS Batch
  15. Which AWS service provides a fully managed generative AI service with access to foundation models?
    1. Amazon SageMaker
    2. Amazon Bedrock
    3. Amazon Comprehend
    4. Amazon Rekognition
  16. Which Elastic Load Balancer type operates at Layer 4 and is best suited for ultra-low latency TCP/UDP traffic?
    1. Application Load Balancer
    2. Network Load Balancer
    3. Gateway Load Balancer
    4. Classic Load Balancer
  17. Which AWS service provides centralized threat detection by continuously monitoring AWS accounts and workloads for malicious activity?
    1. AWS WAF
    2. Amazon Inspector
    3. Amazon GuardDuty
    4. AWS Shield
  18. A company wants to save costs on EC2 by committing to a consistent usage amount ($/hour) for 1-3 years with flexibility across instance families, regions, and services. What should they use?
    1. Reserved Instances
    2. Spot Instances
    3. Compute Savings Plans
    4. Dedicated Hosts

References

AWS Support Plans

AWS Support Plans

⚠️ Major Update: AWS Support Plans Transformation (Dec 2025)

At AWS re:Invent 2025, AWS announced a fundamental restructuring of Support Plans. The legacy Developer, Business, and Enterprise On-Ramp plans will be discontinued on January 1, 2027.

New plan structure (effective 2026):

  • Basic (Free) — included for all AWS customers
  • Business Support+ — replaces Developer and Business (starts at $29/month)
  • Enterprise Support — enhanced with AI capabilities (starts at $5,000/month)
  • Unified Operations — new highest tier (starts at $50,000/month)

Legacy plan customers can transition anytime before Jan 1, 2027. Enterprise On-Ramp customers are being automatically upgraded to Enterprise Support throughout 2026.

NOTE – This post is relevant for AWS Cloud Practitioner Certification and AWS Solutions Architect Associate Certification

Current AWS Support Plans (2026+)

AWS now offers three paid support plans plus the free Basic tier. Each plan combines AI-powered capabilities with AWS expert guidance, representing a shift from reactive problem-solving to proactive issue prevention.

Basic (Free)

  • Included for all AWS customers at no cost
  • 24×7 access to customer service, documentation, whitepapers, and re:Post community forums
  • Access to AWS Health Dashboard (formerly Personal Health Dashboard) for service health notifications
  • Access to limited AWS Trusted Advisor checks (core security checks)
  • Access to AWS Support Automation Workflows for self-service troubleshooting

Business Support+

Replaces the legacy Developer and Business Support plans. Starts at $29/month per account.

  • 24×7 access to AWS Cloud Support Engineers via email, chat & phone
  • AI-powered contextual troubleshooting that understands your specific AWS environment
  • Allows Unlimited contacts/Unlimited cases (IAM supported)
  • Access to full set of AWS Trusted Advisor checks
  • Access to AWS Health Dashboard & Health API
  • Access to AWS DevOps Agent for automated incident investigation and prevention
  • Access to AWS Support App in Slack
  • Proactive health checks with actionable recommendations across security, performance, cost, and reliability
  • Case Severity/Response times SLA:
    • General guidance < 24 hours
    • System impaired < 12 hours
    • Production system impaired < 4 hours
    • Business-critical system down < 30 minutes
  • Pricing: Greater of $29/month per account OR tiered % of monthly AWS charges (9% up to $10K, 7% $10K-$80K, 5% $80K-$250K, 3% over $250K)

Enterprise Support

Enhanced with AI capabilities. Starts at $5,000/month (reduced from previous $15,000 minimum).

  • 24×7 access to Sr. Cloud Support Engineers via email, chat & phone
  • Designated Technical Account Manager (TAM) for strategic guidance and proactive engagement
  • AI-powered intelligent troubleshooting with personalized context delivery to support engineers
  • AWS Security Incident Response — automated security monitoring, triage, and 24/7 access to security engineers (included at no additional cost)
  • Access to AWS DevOps Agent with 75% credits of monthly support charge
  • TAM-led Well-Architected Reviews and architectural assessments
  • Access to AWS Trusted Advisor Priority with 465+ best practice checks across 56+ services
  • Account assistance by Support Concierge
  • Access to online self-paced labs and TAM-led workshops
  • AWS Countdown Premium available as add-on ($10K/project/month) for critical launches, migrations, and peak events
  • Case Severity/Response times SLA:
    • General guidance < 24 hours
    • System impaired < 12 hours
    • Production system impaired < 4 hours
    • Production system down < 1 hour
    • Business-critical system down < 15 minutes
  • Pricing: Greater of $5,000/month OR tiered % of monthly AWS charges (10% up to $150K, 7% $150K-$500K, 5% $500K-$1M, 3% over $1M)

Unified Operations

New highest-tier plan for mission-critical enterprise operations. Starts at $50,000/month.

  • Designated core team: Technical Account Manager (TAM), Domain Specialist Engineers (DSE), and Senior Billing & Account Specialist
  • On-demand experts for migrations, incident management, and security
  • 24/7 proactive security and performance monitoring with early incident detection
  • AWS Security Incident Response with AI-powered investigation included
  • AWS DevOps Agent with 100% credits of monthly support charge
  • AWS Countdown Premium included at no additional cost
  • AWS Incident Detection and Response included at no additional cost
  • Expert-led resilience reviews, GameDay exercises, and chaos engineering
  • Critical Workload Reviews and comprehensive architecture assessments
  • Support via preferred collaboration channels (follow-the-sun model)
  • Case Severity/Response times SLA:
    • General guidance < 24 hours
    • System impaired < 12 hours
    • Production system impaired < 4 hours
    • Production system down < 1 hour
    • Business-critical system down < 5 minutes
  • Pricing: Greater of $50,000/month OR tiered % of monthly AWS charges (10% up to $1M, 6% $1M-$5M, 5% over $5M). Minimum 90-day commitment.

Legacy Plans (Discontinued January 1, 2027)

⚠️ The following plans are being discontinued on January 1, 2027. Existing customers can continue using them until that date or transition to new plans anytime.

Developer (Legacy)

Migrates to → Business Support+

  • Business hours access to Cloud Support Associates via email
  • One primary contact can open Unlimited cases
  • Case Severity/Response times SLA (in business hours):
    • General guidance < 24 business hours
    • System impaired < 12 business hours
  • General Guidance on Architecture support

Business (Legacy)

Migrates to → Business Support+

  • 24×7 access to Cloud Support Engineers via email, chat & phone
  • Unlimited contacts/Unlimited cases (IAM supported)
  • Full set of Trusted Advisor checks
  • Case Severity/Response times:
    • General guidance < 24 hours
    • System impaired < 12 hours
    • Production system impaired < 4 hours
    • Production system down < 1 hour

Enterprise On-Ramp (Legacy)

Automatically upgrading to → Enterprise Support throughout 2026

  • Access to a pool of Technical Account Managers (not designated)
  • Consultative architectural guidance
  • Case Severity/Response times:
    • Business-critical system down < 30 minutes

Key Features Comparison

Feature Basic Business Support+ Enterprise Unified Operations
Critical response time 30 min 15 min 5 min
24×7 expert access
Technical Account Manager Designated Designated + DSE team
AI-powered troubleshooting
AWS Security Incident Response Included Included
AWS DevOps Agent 30% credits 75% credits 100% credits
Trusted Advisor Core checks Full checks Priority (465+ checks) Priority (465+ checks)
Well-Architected Reviews TAM-led Expert-led (comprehensive)
Minimum monthly cost Free $29/account $5,000 $50,000

AWS Support Plan Key Services

AWS Health Dashboard

  • Previously known as Personal Health Dashboard (PHD) and Service Health Dashboard (SHD)
  • Unified dashboard combining service health and account-specific health events
  • Provides personalized notifications about AWS service events affecting your resources
  • Available to all AWS customers (Basic and above)
  • Programmatic access via AWS Health API available with Business Support+ and above

AWS Trusted Advisor

  • Provides real-time recommendations across cost optimization, performance, security, fault tolerance, service limits, and operational excellence
  • Basic/Free: Core security checks only
  • Business Support+: Full set of Trusted Advisor checks
  • Enterprise/Unified Operations: Trusted Advisor Priority with 465+ checks across 56+ services, curated by TAM

AWS DevOps Agent

  • AI-powered operations teammate that autonomously investigates incidents 24/7
  • Provides proactive recommendations to prevent future outages
  • One-click case creation with full investigation context for AWS Support Engineers
  • Available to Business Support+ (30% credits), Enterprise (75% credits), Unified Operations (100% credits)

AWS Security Incident Response

  • Automated security finding monitoring and triage across GuardDuty and Security Hub
  • AI-powered investigation and containment capabilities
  • 24/7 access to AWS Security Incident Response engineers
  • Included with Enterprise and Unified Operations at no additional cost

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. Which AWS support plan has a designated technical account manager assigned for proactive guidance?
    1. AWS Basic support plan
    2. AWS Business Support+ plan
    3. AWS Enterprise Support plan
    4. AWS Unified Operations plan

    Note: Both Enterprise and Unified Operations have a designated TAM, but Enterprise is the first tier to include one.

  2. Which feature is available for all the AWS support plans?
    1. Technical Account Manager
    2. AWS DevOps Agent
    3. 24×7 access to customer service and AWS Health Dashboard
    4. AI-powered troubleshooting
  3. A company needs 24/7 access to AWS Support Engineers and AI-powered contextual troubleshooting at the lowest cost. Which AWS Support plan should they choose?
    1. Basic
    2. Business Support+
    3. Enterprise Support
    4. Unified Operations
  4. Which AWS Support plan provides a 5-minute response time for business-critical system failures?
    1. Business Support+
    2. Enterprise Support
    3. Unified Operations
    4. Basic
  5. What happens to customers on the legacy AWS Developer Support plan after January 1, 2027?
    1. They are automatically upgraded to Enterprise Support
    2. They lose all support access
    3. The plan is discontinued; they should upgrade to Business Support+ before that date
    4. They are moved to Basic support
  6. Which AWS Support plan includes AWS Security Incident Response at no additional cost?
    1. Basic
    2. Business Support+
    3. Enterprise Support
    4. Developer (Legacy)
  7. A startup needs AWS Support with expert access and the lowest minimum monthly cost. Which plan should they choose?
    1. Enterprise Support ($5,000/month minimum)
    2. Business Support+ ($29/month per account minimum)
    3. Unified Operations ($50,000/month minimum)
    4. Basic (free, no expert access)
  8. Which team members are included as part of the designated core team in the AWS Unified Operations plan? (Select TWO)
    1. Technical Account Manager (TAM)
    2. Solutions Architect
    3. Domain Specialist Engineers (DSE)
    4. AWS Account Executive

References

Architecting for the Cloud – AWS Best Practices – Whitepaper – Certification

Architecting for the Cloud – AWS Best Practices

📋 Important Note: Whitepaper Superseded

The original “Architecting for the Cloud: AWS Best Practices” whitepaper (last updated October 2018) has been superseded by the AWS Well-Architected Framework.

The Well-Architected Framework is now organized into six pillars: Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability (added in 2021). It receives continuous updates — most recently in November 2024 and April 2025.

This post is maintained for certification study purposes as the core architectural principles remain relevant.

Architecting for the Cloud – AWS Best Practices whitepaper provides architectural patterns and advice on how to design systems that are secure, reliable, high performing, and cost efficient

AWS Design Principles

Scalability

  • While AWS provides virtually unlimited on-demand capacity, the architecture should be designed to take advantage of those resources
  • There are two ways to scale an IT architecture
    • Vertical Scaling
      • takes place through increasing specifications of an individual resource for e.g. updating EC2 instance type with increasing RAM, CPU, IOPS, or networking capabilities
      • will eventually hit a limit, and is not always a cost effective or highly available approach
      • AWS Graviton-based instances (Graviton4 as of 2024) offer up to 40% better price-performance, making vertical scaling more cost-effective
    • Horizontal Scaling
      • takes place through increasing number of resources for e.g. adding more EC2 instances or EBS volumes
      • can help leverage the elasticity of cloud computing
      • not all the architectures can be designed to distribute their workload to multiple resources
      • applications designed should be stateless,
        • that needs no knowledge of previous interactions and stores no session information
        • capacity can be increased and decreased, after running tasks have been drained
      • State, if needed, can be implemented using
        • Low latency external store, for e.g. DynamoDB, ElastiCache (Redis or Memcached), to maintain state information
        • Session affinity, for e.g. ELB sticky sessions, to bind all the transactions of a session to a specific compute resource. However, it cannot be guaranteed or take advantage of newly added resources for existing sessions
      • Load can be distributed across multiple resources using
        • Push model, for e.g. through ELB where it distributes the load across multiple EC2 instances
        • Pull model, for e.g. through SQS or Kinesis where multiple consumers subscribe and consume
      • Distributed processing, for e.g. using EMR or Kinesis, helps process large amounts of data by dividing task and its data into many small fragments of works

Disposable Resources Instead of Fixed Servers

  • Resources need to be treated as temporary disposable resources rather than fixed permanent on-premises resources before
  • AWS focuses on the concept of Immutable infrastructure
    • servers once launched, is never updated throughout its lifetime.
    • updates can be performed on a new server with latest configurations,
    • this ensures resources are always in a consistent (and tested) state and easier rollbacks
  • AWS provides multiple ways to instantiate compute resources in an automated and repeatable way
    • Bootstrapping
      • scripts to configure and setup for e.g. using EC2 user data scripts and cloud-init to install software or copy resources and code
    • Golden Images
      • a snapshot of a particular state of that resource,
      • faster start times and removes dependencies to configuration services or third-party repositories
      • EC2 Image Builder can automate creation, testing, and distribution of golden AMIs
    • Containers
      • AWS supports container workloads through Amazon ECS, Amazon EKS, and AWS Fargate (serverless containers)
      • Docker allows packaging a piece of software in a Docker Image, which is a standardized unit for software development, containing everything the software needs to run: code, runtime, system tools, system libraries, etc
      • AWS Fargate provides serverless compute for containers, eliminating the need to manage underlying EC2 instances
  • Infrastructure as Code
    • AWS assets are programmable, techniques, practices, and tools from software development can be applied to make the whole infrastructure reusable, maintainable, extensible, and testable.
    • AWS provides services for IaC deployment:
      • AWS CloudFormation – declarative JSON/YAML templates for provisioning AWS resources
      • AWS CDK (Cloud Development Kit) – define infrastructure using familiar programming languages (TypeScript, Python, Java, Go, C#) that synthesize to CloudFormation
      • AWS SAM (Serverless Application Model) – simplified CloudFormation for serverless applications
    • Note: AWS OpsWorks reached End of Life on May 26, 2024 and is no longer available. Use AWS Systems Manager, CloudFormation, or CDK as alternatives.

Automation

  • AWS provides various automation tools and services which help improve system’s stability, efficiency and time to market.
    • Elastic Beanstalk
      • a PaaS that allows quick application deployment while handling resource provisioning, load balancing, auto scaling, monitoring etc
    • EC2 Auto Recovery
      • creates CloudWatch alarm that monitors an EC2 instance and automatically recovers it if it becomes impaired.
      • A recovered instance is identical to the original instance, including the instance ID, private & Elastic IP addresses, and all instance metadata.
      • Instance is migrated through reboot, in memory contents are lost.
    • Auto Scaling
      • allows maintain application availability and scale the capacity up or down automatically as per defined conditions
      • supports predictive scaling that uses machine learning to forecast traffic and proactively scale capacity
    • CloudWatch Alarms
      • allows SNS triggers to be configured when a particular metric goes beyond a specified threshold for a specified number of periods
    • Amazon EventBridge (formerly CloudWatch Events)
      • allows real-time stream of system events that describe changes in AWS resources
      • extends capabilities with partner event sources, Schema Registry, and EventBridge Pipes for point-to-point integrations
      • EventBridge Scheduler supports one-time and recurring schedules with built-in retry policies
    • AWS Systems Manager
      • provides operational management for AWS resources including patch management, configuration compliance, and automated runbooks
      • replaces the need for OpsWorks with features like State Manager, Automation, and Run Command
    • Lambda Scheduled Events
      • allows Lambda function creation and direct AWS Lambda to execute it on a regular schedule via EventBridge Scheduler.

Loose Coupling

  • AWS helps loose coupled architecture that reduces interdependencies, a change or failure in a component does not cascade to other components
    • Asynchronous Integration
      • does not involve direct point-to-point interaction but usually through an intermediate durable storage layer for e.g. SQS, Kinesis, EventBridge
      • decouples the components and introduces additional resiliency
      • suitable for any interaction that doesn’t need an immediate response and an ack that a request has been registered will suffice
    • Service Discovery
      • allows new resources to be launched or terminated at any point in time and discovered as well for e.g. using ELB as a single point of contact with hiding the underlying instance details or Route 53 zones to abstract load balancer’s endpoint
      • AWS Cloud Map provides service discovery for cloud resources, allowing applications to discover services via API calls, DNS queries, or directly through the SDK
    • Well-Defined Interfaces
      • allows various components to interact with each other through specific, technology agnostic interfaces for e.g. RESTful APIs with API Gateway
      • Amazon API Gateway supports REST APIs, HTTP APIs, and WebSocket APIs for real-time communication

Services, Not Servers

  • AWS encourages leveraging managed services and serverless architectures to reduce operational overhead
    • Serverless compute – AWS Lambda for event-driven functions, AWS Fargate for serverless containers
    • Managed databases – Amazon RDS, DynamoDB, Aurora Serverless for auto-scaling relational databases
    • Application integration – SQS, SNS, EventBridge, Step Functions for workflow orchestration
    • API management – API Gateway for creating, publishing, and managing APIs at scale

Databases

  • AWS provides different categories of database technologies
    • Relational Databases (RDS)
      • normalizes data into well-defined tabular structures known as tables, which consist of rows and columns
      • provide a powerful query language, flexible indexing capabilities, strong integrity controls, and the ability to combine data from multiple tables in a fast and efficient manner
      • allows vertical scalability by increasing resources and horizontal scalability using Read Replicas for read capacity and sharding or data partitioning for write capacity
      • provides High Availability using Multi-AZ deployment, where data is synchronously replicated
      • Amazon Aurora provides MySQL and PostgreSQL-compatible databases with up to 5x and 3x better throughput respectively, with automatic storage scaling up to 128 TB
      • Aurora Serverless v2 scales capacity automatically based on application demand, ideal for variable workloads
    • NoSQL Databases (DynamoDB)
      • provides databases that trade some of the query and transaction capabilities of relational databases for a more flexible data model that seamlessly scales horizontally
      • perform data partitioning and replication to scale both the reads and writes in a horizontal fashion
      • DynamoDB service synchronously replicates data across three facilities in an AWS region to provide fault tolerance in the event of a server failure or Availability Zone disruption
      • DynamoDB Global Tables provide multi-region, active-active replication for globally distributed applications
      • DynamoDB On-Demand mode eliminates capacity planning by automatically scaling to accommodate workloads
    • Data Warehouse (Redshift)
      • Specialized type of relational database, optimized for analysis and reporting of large amounts of data
      • Redshift achieves efficient storage and optimum query performance through a combination of massively parallel processing (MPP), columnar data storage, and targeted data compression encoding schemes
      • Redshift MPP architecture enables increasing performance by increasing the number of nodes in the data warehouse cluster
      • Redshift Serverless automatically provisions and scales capacity, allowing analytics without cluster management
    • Purpose-Built Databases
      • Amazon ElastiCache – in-memory caching (Redis, Memcached) for sub-millisecond latency
      • Amazon Neptune – graph database for highly connected datasets
      • Amazon Timestream – time series database for IoT and operational applications
      • Amazon MemoryDB for Redis – Redis-compatible, durable, in-memory database
  • For more details refer to AWS Storage Options Whitepaper

Removing Single Points of Failure

  • AWS provides ways to implement redundancy, automate recovery and reduce disruption at every layer of the architecture
  • AWS supports redundancy in the following ways
    • Standby Redundancy
      • When a resource fails, functionality is recovered on a secondary resource using a process called failover.
      • Failover will typically require some time before it completes, and during that period the resource remains unavailable.
      • Secondary resource can either be launched automatically only when needed (to reduce cost), or it can be already running idle (to accelerate failover and minimize disruption).
      • Standby redundancy is often used for stateful components such as relational databases.
    • Active Redundancy
      • requests are distributed to multiple redundant compute resources, if one fails, the rest can simply absorb a larger share of the workload.
      • Compared to standby redundancy, it can achieve better utilization and affect a smaller population when there is a failure.
  • AWS supports replication
    • Synchronous replication
      • acknowledges a transaction after it has been durably stored in both the primary location and its replicas.
      • protects data integrity from the event of a primary node failure
      • used to scale read capacity for queries that require the most up-to-date data (strong consistency).
      • compromises performance and availability
    • Asynchronous replication
      • decouples the primary node from its replicas at the expense of introducing replication lag
      • used to horizontally scale the system’s read capacity for queries that can tolerate that replication lag.
    • Quorum-based replication
      • combines synchronous and asynchronous replication to overcome the challenges of large-scale distributed database systems
      • Replication to multiple nodes can be managed by defining a minimum number of nodes that must participate in a successful write operation
  • AWS provide services to reduce or remove single point of failure
    • Regions, Availability Zones with multiple data centers
    • ELB or Route 53 to configure health checks and mask failure by routing traffic to healthy endpoints
    • Auto Scaling to automatically replace unhealthy nodes
    • EC2 auto-recovery to recover unhealthy impaired nodes
    • S3, DynamoDB with data redundantly stored across multiple facilities
    • Multi-AZ RDS, Aurora (6 copies across 3 AZs), and Read Replicas
    • ElastiCache Redis engine supports replication with automatic failover
    • AWS Elastic Disaster Recovery (DRS) for continuous replication and automated recovery of on-premises and cloud-based applications
  • For more details refer to AWS Disaster Recovery Whitepaper

Optimize for Cost

  • AWS can help organizations reduce capital expenses and drive savings as a result of the AWS economies of scale
  • AWS provides different options which should be utilized as per use case –
    • EC2 pricing models:
      • On-Demand – pay per second/hour with no commitment
      • Savings Plans – commit to a consistent amount of usage (measured in $/hr) for 1 or 3 years; Compute Savings Plans (up to 66% savings) and EC2 Instance Savings Plans (up to 72% savings)
      • Reserved Instances – capacity reservation with up to 72% discount for 1 or 3 year terms
      • Spot Instances – up to 90% discount for fault-tolerant, flexible workloads using spare capacity
      • Dedicated Hosts – single-tenant hardware for compliance and BYOL licensing
    • AWS Graviton instances for up to 40% better price-performance over comparable x86 instances
    • AWS Cost Optimization Hub, Trusted Advisor, and AWS Compute Optimizer to identify cost savings opportunities
    • S3 storage classes:
      • S3 Standard – frequently accessed data
      • S3 Intelligent-Tiering – automatic cost optimization for data with unknown or changing access patterns
      • S3 Standard-Infrequent Access (S3 Standard-IA) – infrequently accessed data
      • S3 One Zone-IA – infrequently accessed data not requiring multi-AZ resilience
      • S3 Glacier Instant Retrieval, Flexible Retrieval, and Deep Archive – long-term archive storage
      • S3 Express One Zone – single-digit millisecond latency for most frequently accessed data (up to 10x faster than S3 Standard)
    • EBS volumes – General Purpose SSD (gp3), Provisioned IOPS SSD (io2 Block Express), Throughput Optimized HDD (st1), Cold HDD (sc1). Note: Magnetic (standard) is a previous-generation volume type; gp3 is recommended as default.
    • Cost Allocation tags to identify costs based on tags
    • Auto Scaling to horizontally scale the capacity up or down based on demand
    • Lambda and Fargate based serverless architectures to never pay for idle or redundant resources
    • Utilize managed services where scaling is handled by AWS for e.g. ELB, CloudFront, Kinesis, SQS, Amazon OpenSearch Service etc.

Caching

  • Caching improves application performance and increases the cost efficiency of an implementation
    • Application Data Caching
      • provides services that help store and retrieve information from fast, managed, in-memory caches
      • Amazon ElastiCache is a web service that makes it easy to deploy, operate, and scale an in-memory cache in the cloud and supports two open-source in-memory caching engines: Memcached and Redis
      • Amazon DynamoDB Accelerator (DAX) provides a fully managed, in-memory cache for DynamoDB with microsecond response times
    • Edge Caching
      • allows content to be served by infrastructure that is closer to viewers, lowering latency and giving high, sustained data transfer rates needed to deliver large popular objects to end users at scale.
      • Amazon CloudFront is Content Delivery Network (CDN) consisting of 600+ Points of Presence (edge locations and regional caches), that allows copies of static and dynamic content to be cached
      • CloudFront Functions and Lambda@Edge enable running code at edge locations for request/response manipulation

Security

  • AWS works on shared security responsibility model
    • AWS is responsible for the security of the underlying cloud infrastructure
    • you are responsible for securing the workloads you deploy in AWS
  • AWS also provides ample security features
    • IAM to define a granular set of policies and assign them to users, groups, and AWS resources
    • IAM roles to assign short term credentials to resources, which are automatically distributed and rotated
    • AWS IAM Identity Center (formerly AWS SSO) for centralized workforce identity management and single sign-on across AWS accounts and applications
    • Amazon Cognito, for mobile and web applications, which allows client devices to get controlled access to AWS resources via temporary tokens
    • VPC to isolate parts of infrastructure through the use of subnets, security groups, and routing controls
    • AWS WAF to help protect web applications from SQL injection, cross-site scripting, and other common exploits with managed rule groups
    • CloudWatch logs to collect logs centrally as the servers are temporary
    • CloudTrail for auditing AWS API calls, which delivers a log file to S3 bucket. Logs can then be stored in an immutable manner and automatically processed to either notify or even take action on your behalf, protecting your organization from non-compliance
    • AWS Security Hub – unified security posture management that aggregates findings from GuardDuty, Inspector, Macie, and partner tools with automated compliance checks
    • Amazon GuardDuty – intelligent threat detection using machine learning, anomaly detection, and integrated threat intelligence to identify malicious activity
    • Amazon Inspector – automated vulnerability management that continuously scans EC2 instances, container images (ECR), Lambda functions, and code repositories for software vulnerabilities
    • AWS Config for continuous compliance monitoring, and AWS Trusted Advisor for best practice recommendations across cost, performance, security, fault tolerance, and service limits
  • For more details refer to AWS Security Whitepaper

AWS Well-Architected Framework

  • The AWS Well-Architected Framework is the successor to this whitepaper and provides comprehensive guidance for building secure, high-performing, resilient, and efficient infrastructure
  • The Framework is built on six pillars:
    • Operational Excellence – running and monitoring systems to deliver business value and continually improve processes and procedures
    • Security – protecting information and systems through risk assessments, mitigation strategies, and security best practices
    • Reliability – ensuring workloads perform correctly and consistently, with ability to recover from failures and meet demand
    • Performance Efficiency – using computing resources efficiently to meet requirements and maintain efficiency as demand changes
    • Cost Optimization – avoiding unnecessary costs through understanding spending, selecting the right resources, and scaling to meet needs without overspending
    • Sustainability (added 2021) – minimizing environmental impacts by reducing energy consumption and increasing efficiency of cloud workloads
  • The AWS Well-Architected Tool in the AWS Management Console allows workload reviews against framework best practices
  • AWS also provides Well-Architected Lenses for specific workload types (Serverless, SaaS, Machine Learning, Data Analytics, IoT, etc.)

References