AWS Storage Options – RDS, DynamoDB & Database on EC2

AWS Storage Options Whitepaper with RDS, DynamoDB & Database on EC2 Cont.

Provides a brief summary for the Ideal Use cases, Anti-Patterns and other factors for Amazon RDS, DynamoDB & Databases on EC2 storage options

📝 Note: The original AWS Storage Services Overview whitepaper has been archived by AWS. This content is maintained and updated with current service capabilities for certification study reference. See the AWS Overview – Storage Services for the latest official guidance.

Amazon RDS

  • RDS is a fully managed relational database service supporting Amazon Aurora, MySQL, PostgreSQL, MariaDB, Oracle, and Microsoft SQL Server database engines
  • RDS eliminates much of the administrative overhead associated with launching, managing, and scaling your own relational database on Amazon EC2 or in another computing environment.
  • RDS provides automated patching, backups, Multi-AZ high availability, read replicas, and monitoring out of the box.

Key Features (Updated 2024-2026)

  • Multi-AZ DB Cluster Deployments – deploys a primary and two readable standby instances across three AZs, providing faster failover (~35 seconds), improved commit latency via semisynchronous replication, and readable standbys (MySQL/PostgreSQL)
  • Blue/Green Deployments – creates a fully managed staging (green) environment that mirrors production (blue), allowing safe testing of major version upgrades and schema changes with minimal downtime switchover
  • RDS Proxy – a fully managed database proxy that pools and shares connections, improving application scalability, resilience to database failovers, and security via IAM/Secrets Manager authentication
  • RDS Data API – available for Aurora (Serverless v2 and provisioned), enables secure HTTP-based SQL execution without managing database drivers or connections
  • Aurora Serverless v2 – auto-scales database capacity in fine-grained increments based on application demand, scaling to hundreds of thousands of transactions per second
  • Aurora DSQL (launched Dec 2024) – a serverless, distributed SQL database with active-active multi-Region high availability, PostgreSQL-compatible, with strong consistency across all Regional endpoints
  • RDS Custom – provides OS and database access for Oracle and SQL Server when full administrative control is needed (Note: RDS Custom for Oracle reaches end of support March 31, 2027)
  • Graviton (ARM) Instances – M7g, R7g, M7i, R7i instance types offering better price-performance
  • gp3 Storage – baseline of 3,000 IOPS and 125 MiB/s, scalable up to 80,000 IOPS and 2,000 MiB/s per volume (up to 64 TiB per volume)
  • Extended Support – up to 3 additional years of critical security and bug fixes beyond community end-of-life for major engine versions

Ideal Usage Patterns

  • RDS is a great solution for cloud-based fully-managed relational database
  • RDS is also optimal for new applications with structured data that requires more sophisticated querying and joining capabilities than that provided by Amazon’s NoSQL database offering, DynamoDB.
  • RDS provides full compatibility with the databases supported and direct access to native database engines, code and libraries and is ideal for existing applications that rely on these databases
  • Applications requiring zero-downtime upgrades can leverage Blue/Green Deployments for safe major version changes
  • Serverless and event-driven applications benefit from RDS Proxy and Aurora Serverless v2 for connection management and auto-scaling

Anti-Patterns

  • Index and query-focused data
    • If the applications don’t require advanced features such as joins and complex transactions and is more oriented toward indexing and querying data, DynamoDB would be more appropriate for this needs
  • Numerous BLOBs
    • If the application makes heavy use of files (audio files, videos, images, etc), it is a better choice to use S3 to store the objects instead of database engines Blob feature and use RDS or DynamoDB only to save the metadata
  • Automated scalability
    • RDS provides vertical scaling (scale up) and limited horizontal scale-out via read replicas. For fully-automated serverless scaling, consider Aurora Serverless v2 or DynamoDB.
  • Complete control
    • RDS does not provide full OS-level admin access.
    • If the application requires complete OS-level control, consider RDS Custom (for Oracle/SQL Server) or a self-managed database on EC2.
  • Other database platforms
    • RDS supports Aurora, MySQL, PostgreSQL, MariaDB, Oracle, and SQL Server.
    • If any other database platform (such as IBM DB2, Informix, or Sybase) is needed, it should be deployed on a self-managed database on an EC2 instance.

Performance

  • RDS offers multiple storage types optimized for different workloads:
    • gp3 (General Purpose SSD) – baseline 3,000 IOPS, scalable up to 80,000 IOPS and 2,000 MiB/s throughput, up to 64 TiB per volume
    • io1/io2 (Provisioned IOPS SSD) – designed for I/O-intensive transactional workloads, up to 256,000 IOPS
  • Multi-AZ DB Cluster deployments provide improved write commit latency through optimized semisynchronous replication
  • Performance Insights provides a dashboard to monitor database load and identify bottlenecks
  • RDS Optimized Reads/Writes (Aurora) provide up to 2x faster query processing and 6x higher write throughput

Durability and Availability

  • RDS leverages Amazon EBS volumes as its data store
  • RDS provides database backups, for enhanced durability, which are replicated across multiple AZ’s
    • Automated backups
      • RDS automatically performs a full daily backup during the specified backup window, and captures DB transaction logs (up to 35-day retention)
    • User initiated backups (DB Snapshots)
      • User can initiate manual snapshots at any time; they are retained until explicitly deleted
  • Multi-AZ DB Instance – synchronously replicates data to a standby in another AZ with automatic failover (typically 60-120 seconds)
  • Multi-AZ DB Cluster – maintains a primary and two readable standbys across three AZs with faster failover (~35 seconds) and transaction log-based replication
  • RDS provides a DNS endpoint; in case of failure on the primary, it automatically fails over to the standby instance
  • RDS Read Replicas provide asynchronous replication for read scaling and can be promoted for disaster recovery (including cross-Region replicas)

Cost Model

  • RDS offers a tiered pricing structure based on instance size, deployment type (Single-AZ/Multi-AZ Instance/Multi-AZ Cluster), and AWS Region
  • Pricing components: DB instance hours, provisioned storage (per GB-month), I/O requests (for io1/io2), additional backup storage, and data transfer
  • Reserved Instances provide significant discounts (up to 69%) for 1-year or 3-year commitments
  • Aurora Serverless v2 charges per Aurora Capacity Unit (ACU) consumed per second

Scalability and Elasticity

  • RDS resources can be scaled in several dimensions: storage size, IOPS, instance compute capacity, and number of read replicas
  • Storage Auto Scaling automatically increases storage when approaching capacity limits
  • Aurora Auto Scaling automatically adjusts the number of Aurora Replicas based on demand
  • Aurora Serverless v2 scales compute capacity automatically in fine-grained increments (0.5 ACU) from minimum to maximum configured capacity
  • Read Replicas (up to 15 for Aurora, 5 for other engines) enable read scaling across AZs and Regions
  • Aurora Limitless Database provides horizontal write scaling by automatically sharding data across multiple writer instances

Interfaces

  • RDS APIs, AWS CLI, and the AWS Management Console provide management interfaces for creating, modifying, and managing DB instances
  • RDS Data API (Aurora) provides a secure HTTP endpoint for running SQL statements without managing database connections or drivers
  • Once a database is created, RDS provides a DNS endpoint for the database which can be used to connect using standard database drivers
  • Endpoint does not change over the lifetime of the instance, even during failover in Multi-AZ configurations
  • RDS Proxy endpoints provide connection pooling and improved failover handling for applications

Amazon DynamoDB

  • Amazon DynamoDB is a fully managed, serverless NoSQL database service that delivers single-digit millisecond performance at any scale.
  • DynamoDB offers zero infrastructure management, zero downtime maintenance, and automatic scaling to accommodate any workload demand.
  • DynamoDB provides both eventually-consistent reads (by default) and strongly-consistent reads (optional), as well as ACID transactions (TransactWriteItems, TransactGetItems) for coordinated operations across multiple items and tables.
  • Amazon DynamoDB handles data as follows:
    • DynamoDB stores structured data in tables, indexed by primary key, and allows low-latency read and write access to items.
    • DynamoDB supports rich data types: Scalar (String, Number, Binary, Boolean, Null), Document (List, Map), and Set (String Set, Number Set, Binary Set)
    • Tables do not have a fixed schema, so each data item can have a different number of attributes.
    • Primary key can either be a single-attribute partition key (hash key) or a composite partition key + sort key (hash-range key).
    • Local Secondary Indexes (LSI) – alternate sort key on the same partition key (defined at table creation)
    • Global Secondary Indexes (GSI) – alternate partition key and optional sort key, can be added/modified anytime

Key Features (Updated 2024-2026)

  • On-Demand Capacity Mode – pay-per-request pricing with no capacity planning; automatically scales to accommodate workload demand. 50% price reduction effective November 2024.
  • Global Tables – fully managed, multi-Region, multi-active replication with two consistency modes:
    • Multi-Region Eventual Consistency (MREC) – default mode, typically sub-second replication
    • Multi-Region Strong Consistency (MRSC) – GA 2025, provides zero RPO with strongly consistent reads/writes across all Regions
  • DynamoDB Accelerator (DAX) – fully managed, in-memory cache providing microsecond read latency for read-heavy workloads
  • Standard-IA Table Class – lower storage cost option (up to 60% cheaper storage) for infrequently accessed data
  • PartiQL – SQL-compatible query language for DynamoDB, enabling familiar SELECT, INSERT, UPDATE, DELETE syntax
  • Zero-ETL Integrations – seamless data replication to Amazon Redshift, OpenSearch Service, and SageMaker Lakehouse without building ETL pipelines
  • S3 Import/Export – bulk import data from S3 and export table data to S3 in DynamoDB JSON or Amazon Ion format
  • Point-in-Time Recovery (PITR) – continuous backups with per-second granularity, restorable to any point within a configurable 1-35 day window
  • Encryption at Rest – enabled by default using AWS owned keys, with options for AWS managed key or customer managed KMS key
  • DynamoDB Streams / Kinesis Data Streams – capture item-level changes for event-driven architectures, real-time analytics, and cross-Region replication

Ideal Usage Patterns

  • DynamoDB is ideal for applications that need a flexible NoSQL database with low read and write latencies, and the ability to scale storage and throughput up or down as needed without code changes or downtime.
  • Use cases requiring a highly available and scalable database e.g., mobile apps, gaming, digital ad serving, live voting, sensor networks, log ingestion, access control, metadata storage for S3 objects, e-commerce shopping carts, web session management, and serverless applications
  • Event-driven architectures leveraging DynamoDB Streams to trigger Lambda functions or downstream processing
  • Global applications requiring multi-Region active-active deployments with Global Tables

Anti-Patterns

  • Structured data with Join and/or Complex Transactions
    • If the application uses structured data and requires complex joins, multi-table transactions, or relationship infrastructure provided by traditional relational databases, RDS or Aurora would be a better choice. (Note: DynamoDB does support ACID transactions within and across tables, but not SQL-style joins.)
  • Large Blob data
    • DynamoDB has a maximum item size of 400 KB. For large media files, videos, etc., use S3 for storage and DynamoDB for metadata.
  • Large Objects with Low I/O rate
    • DynamoDB uses SSD drives and is optimized for high I/O workloads. If the application stores very large amounts of infrequently accessed data, S3 or the Standard-IA table class might be more cost-effective.
  • Complex ad-hoc analytics
    • For complex analytical queries across large datasets, use DynamoDB zero-ETL integration with Amazon Redshift or export to S3 for Athena queries.

Performance

  • SSDs and limited indexing on attributes provides single-digit millisecond latency at any scale.
  • Provisioned capacity mode – define exact read/write capacity units for predictable workloads with optional auto-scaling
  • On-demand capacity mode – automatically accommodates up to double previous peak traffic instantly, with further scaling within minutes
  • DAX (DynamoDB Accelerator) – in-memory cache providing microsecond response times for eventually consistent reads
  • DynamoDB automatically partitions data to maintain consistent performance as tables grow.

Durability and Availability

  • DynamoDB automatically and synchronously replicates data across three AZs in a Region for high availability and data protection against facility failures.
  • Global Tables provide multi-Region replication with 99.999% availability SLA (multi-Region)
  • PITR provides continuous backups for point-in-time restore capability
  • On-demand backups allow full table backups at any time without performance impact

Cost Model

  • DynamoDB offers two capacity modes:
    • On-Demand – pay per read/write request (no capacity planning). 50% price reduction since November 2024.
    • Provisioned – pay per hour for provisioned Read/Write Capacity Units (with optional auto-scaling and Reserved Capacity discounts)
  • Additional pricing components: data storage (per GB-month), Global Tables replication (per replicated write unit), backups, data export/import, DynamoDB Streams reads, and data transfer
  • Standard-IA table class reduces storage costs by up to 60% with higher per-request costs (ideal when storage dominates)
  • Global Tables pricing reduced by up to 67% (November 2024)

Scalability and Elasticity

  • DynamoDB is both highly-scalable and elastic with virtually unlimited storage and throughput capacity.
  • Data is automatically partitioned and re-partitioned as needed, while SSD storage provides predictable low-latency at any scale.
  • On-Demand mode provides truly serverless scaling with no capacity planning required
  • Provisioned mode with Auto Scaling automatically adjusts capacity based on utilization targets
  • DynamoDB can handle more than 10 trillion requests per day and support peaks of more than 100 million requests per second.

Interfaces

  • DynamoDB provides a low-level REST API, AWS SDKs in multiple languages, and the AWS CLI
  • PartiQL – SQL-compatible query language supported via Console, CLI, SDKs, and NoSQL Workbench
  • APIs provide both management and data interfaces: table management (create, list, delete, describe) and item operations (Get, Put, Update, Delete, Query, Scan, BatchWrite, BatchGet, TransactWrite, TransactGet)
  • DynamoDB Streams API – captures ordered sequence of item-level changes
  • NoSQL Workbench – visual tool for data modeling, visualization, and query development

Databases on EC2

  • EC2 with EBS volumes allows hosting a self-managed relational database with full OS and database administrative control
  • Ready-to-use, prebuilt AMIs are available from leading database vendors in AWS Marketplace
  • Note: With the introduction of RDS Custom (for Oracle and SQL Server), the need for self-managed databases on EC2 has decreased for these specific engines

Ideal Usage Patterns

  • Self-managed database on EC2 is ideal for applications that require a specific database platform not supported by Amazon RDS e.g., IBM DB2, Informix, Sybase, or specialized configurations
  • Applications requiring maximum level of administrative control and configurability including custom storage engines, specialized replication, or kernel-level tuning not available in RDS or RDS Custom
  • Database versions or configurations not yet supported by RDS

Anti-Patterns

  • Index and query-focused data
    • If the applications don’t require advanced features such as joins and complex transactions and is more oriented toward indexing and querying data, DynamoDB would be more appropriate
  • Numerous BLOBs
    • If the application makes heavy use of files (audio files, videos, images), use S3 for object storage and RDS or DynamoDB for metadata
  • Managed service available
    • If RDS supports the database engine and provides the needed features, RDS is preferred for reduced operational overhead. For Oracle/SQL Server requiring OS access, consider RDS Custom before self-managing on EC2.
  • Automated scalability
    • Self-managed databases require manual or scripted scaling operations. If fully-automated scaling is needed, DynamoDB, Aurora Serverless, or RDS with Auto Scaling may be better choices.

Performance

  • Performance depends on the EC2 instance type, number/configuration of EBS volumes, and database tuning
  • Scale up by choosing larger instance types (compute-optimized, memory-optimized) or Graviton-based instances for better price-performance
  • For storage: use gp3 or io2 Block Express EBS volumes. Use software RAID 0 (disk striping) across multiple EBS volumes for aggregated IOPS and bandwidth
  • Instance store (NVMe SSDs) can provide very high IOPS for temporary/cache workloads

Durability & Availability

  • Uses EBS for storage with same durability guarantees (99.999% availability for io2 Block Express)
  • Enhanced durability via EBS snapshots, cross-Region replication, or third-party backup tools (e.g., Oracle RMAN) to S3
  • High availability requires manual configuration: Multi-AZ replication, clustering solutions, or automated failover scripts

Cost Model

  • Cost determined by: EC2 instance size/type, EBS volume size and IOPS, data transfer, and any third-party database licensing costs
  • Savings Plans and Reserved Instances reduce EC2 compute costs for steady-state workloads
  • BYOL (Bring Your Own License) options available for Oracle, SQL Server, and other commercial databases

Scalability & Elasticity

  • Leverage EC2 scalability by creating AMIs for horizontal scaling, though database-specific clustering/sharding is required
  • Vertical scaling requires instance stop/start (brief downtime without clustering)
  • Auto Scaling groups can manage read replica fleets for read-heavy workloads

Comparison: RDS vs DynamoDB vs Database on EC2

Factor Amazon RDS DynamoDB Database on EC2
Type Managed Relational (SQL) Managed NoSQL (Key-Value/Document) Self-Managed Relational
Scaling Vertical + Read Replicas; Aurora Serverless for auto-scaling Fully automatic (on-demand) or provisioned with auto-scaling Manual vertical/horizontal
Availability Multi-AZ (2 or 3 AZs), automated failover Automatic across 3 AZs; Global Tables for multi-Region Manual HA configuration required
Admin Overhead Low (managed patching, backups) None (serverless) High (full responsibility)
Use Case Complex queries, joins, ACID transactions High-speed key-value access, flexible schema, massive scale Unsupported engines, full OS control

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. Which of the following are use cases for Amazon DynamoDB? Choose 3 answers
    1. Storing BLOB data.
    2. Managing web sessions
    3. Storing JSON documents
    4. Storing metadata for Amazon S3 objects
    5. Running relational joins and complex updates.
    6. Storing large amounts of infrequently accessed data.
  2. A client application requires operating system privileges on a relational database server. What is an appropriate configuration for highly available database architecture?
    1. A standalone Amazon EC2 instance
    2. Amazon RDS in a Multi-AZ configuration
    3. Amazon EC2 instances in a replication configuration utilizing a single Availability Zone
    4. Amazon EC2 instances in a replication configuration utilizing two different Availability Zones

    Note: With the introduction of RDS Custom, this question’s context has evolved. RDS Custom for SQL Server now supports Multi-AZ. However, for full OS-level control beyond what RDS Custom offers, EC2 remains the answer.

  3. You are developing a new mobile application and are considering storing user preferences in AWS, which would provide a more uniform cross-device experience to users using multiple mobile devices to access the application. The preference data for each user is estimated to be 50KB in size. Additionally 5 million customers are expected to use the application on a regular basis. The solution needs to be cost-effective, highly available, scalable and secure, how would you design a solution to meet the above requirements?
    1. Setup an RDS MySQL instance in 2 availability zones to store the user preference data. Deploy a public facing application on a server in front of the database to manage security and access credentials
    2. Setup a DynamoDB table with an item for each user having the necessary attributes to hold the user preferences. The mobile application will query the user preferences directly from the DynamoDB table. Utilize STS. Web Identity Federation, and DynamoDB Fine Grained Access Control to authenticate and authorize access (DynamoDB provides high availability as it synchronously replicates data across three facilities within an AWS Region and scalability as it is designed to scale its provisioned throughput up or down while still remaining available. Also suitable for storing user preference data)
    3. Setup an RDS MySQL instance with multiple read replicas in 2 availability zones to store the user preference data. The mobile application will query the user preferences from the read replicas. Leverage the MySQL user management and access privilege system to manage security and access credentials.
    4. Store the user preference data in S3 Setup a DynamoDB table with an item for each user and an item attribute pointing to the user’ S3 object. The mobile application will retrieve the S3 URL from DynamoDB and then access the S3 object directly utilize STS, Web identity Federation, and S3 ACLs to authenticate and authorize access.
  4. A customer is running an application in US-West (Northern California) region and wants to setup disaster recovery failover to the Asian Pacific (Singapore) region. The customer is interested in achieving a low Recovery Point Objective (RPO) for an Amazon RDS multi-AZ MySQL database instance. Which approach is best suited to this need?
    1. Synchronous replication
    2. Asynchronous replication (Cross-Region Read Replicas use asynchronous replication. Note: DynamoDB Global Tables with MRSC now offers zero RPO across Regions for NoSQL workloads.)
    3. Route53 health checks
    4. Copying of RDS incremental snapshots
  5. You are designing a file-sharing service. This service will have millions of files in it. Revenue for the service will come from fees based on how much storage a user is using. You also want to store metadata on each file, such as title, description and whether the object is public or private. How do you achieve all of these goals in a way that is economical and can scale to millions of users?
    1. Store all files in Amazon Simple Storage Service (S3). Create a bucket for each user. Store metadata in the filename of each object, and access it with LIST commands against the S3 API.
    2. Store all files in Amazon S3. Create Amazon DynamoDB tables for the corresponding key-value pairs on the associated metadata, when objects are uploaded.
    3. Create a striped set of 4000 IOPS Elastic Load Balancing volumes to store the data. Use a database running in Amazon Relational Database Service (RDS) to store the metadata.
    4. Create a striped set of 4000 IOPS Elastic Load Balancing volumes to store the data. Create Amazon DynamoDB tables for the corresponding key-value pairs on the associated metadata, when objects are uploaded.
  6. Company ABCD has recently launched an online commerce site for bicycles on AWS. They have a “Product” DynamoDB table that stores details for each bicycle, such as, manufacturer, color, price, quantity and size to display in the online store. Due to customer demand, they want to include an image for each bicycle along with the existing details. Which approach below provides the least impact to provisioned throughput on the “Product” table?
    1. Serialize the image and store it in multiple DynamoDB tables
    2. Create an “Images” DynamoDB table to store the Image with a foreign key constraint to the “Product” table
    3. Add an image data type to the “Product” table to store the images in binary format
    4. Store the images in Amazon S3 and add an S3 URL pointer to the “Product” table item for each image
  7. A company needs to store IoT sensor data from thousands of devices. The data is small (under 1KB per reading), arrives at unpredictable rates, and must be queryable by device ID and timestamp with single-digit millisecond latency. Which database solution is most appropriate?
    1. Amazon RDS MySQL with Multi-AZ
    2. Self-managed Cassandra on EC2
    3. Amazon DynamoDB with on-demand capacity mode (DynamoDB with on-demand mode is ideal: handles unpredictable workloads without capacity planning, supports composite key (device ID as partition key, timestamp as sort key), and provides single-digit millisecond latency)
    4. Amazon Aurora Serverless
  8. A company wants to perform real-time analytics on data stored in their DynamoDB table without impacting production read/write performance. Which approach is the most operationally efficient?
    1. Create a read replica of the DynamoDB table
    2. Export data to S3 on a scheduled basis and query with Athena
    3. Use DynamoDB zero-ETL integration with Amazon Redshift (Zero-ETL integration provides near real-time data replication to Redshift without building custom pipelines or impacting DynamoDB performance)
    4. Use DynamoDB Streams with a Lambda function to copy data to RDS

AWS Storage Options – S3 & Glacier

📋 Post Updated: June 2026

This post has been updated to reflect the current AWS S3 storage classes (8 classes as of 2025), the deprecation of standalone Amazon Glacier vaults, S3 Glacier storage class renaming, removal of S3 Reduced Redundancy Storage (RRS) recommendation, and new S3 capabilities including S3 Tables, S3 Vectors, and S3 Express One Zone.

Amazon S3

  • highly-scalable, reliable, and low-latency data storage infrastructure at very low costs.
  • provides a simple web services interface that can be used to store and retrieve any amount of data, at any time, from within Amazon EC2 or from anywhere on the web.
  • allows you to write, read, and delete objects containing from 1 byte to 5 terabytes of data each.
  • number of objects you can store in an Amazon S3 bucket is virtually unlimited.
  • highly secure, supporting encryption at rest and in transit, and providing multiple mechanisms to provide fine-grained control of access to Amazon S3 resources.
  • as of January 5, 2023, all new objects are automatically encrypted with SSE-S3 (server-side encryption with S3 managed keys) at no additional cost.
  • highly scalable, allowing concurrent read or write access to Amazon S3 data by many separate clients or application threads.
  • provides data lifecycle management capabilities, allowing users to define rules to automatically transition data between storage classes (including S3 Glacier classes) or delete data at end of life.
  • stores data redundantly across a minimum of 3 Availability Zones by default (except One Zone classes), providing built-in resilience against widespread disaster.

S3 Storage Classes

Amazon S3 offers 8 storage classes designed for different access patterns and cost requirements:

  • S3 Standard – General-purpose storage for frequently accessed data. High throughput and low latency.
  • S3 Intelligent-Tiering – Automatic cost optimization by moving data between access tiers (Frequent, Infrequent, Archive Instant Access) based on changing access patterns, with no retrieval charges or operational overhead.
  • S3 Standard-Infrequent Access (S3 Standard-IA) – For data accessed less frequently but requiring rapid access when needed. Lower storage cost with per-GB retrieval charge.
  • S3 One Zone-Infrequent Access (S3 One Zone-IA) – Lower-cost option for infrequently accessed data that does not require multi-AZ resilience. Replaces the legacy Reduced Redundancy Storage (RRS).
  • S3 Express One Zone – Single-digit millisecond data access with up to 10x faster performance and 80% lower request costs than S3 Standard. Data stored in a single Availability Zone. Ideal for latency-sensitive applications like ML training and analytics.
  • S3 Glacier Instant Retrieval – Lowest-cost storage for long-lived data rarely accessed (once per quarter) that requires millisecond retrieval. 68% lower cost than S3 Standard-IA.
  • S3 Glacier Flexible Retrieval (formerly S3 Glacier) – For archive data accessed once or twice per year. Retrieval options: Expedited (1-5 minutes), Standard (3-5 hours), or free Bulk (5-12 hours). Minimum 90-day storage.
  • S3 Glacier Deep Archive – Lowest-cost storage class for long-term archive and digital preservation. Retrieval: Standard (within 12 hours) or Bulk (within 48 hours). Minimum 180-day storage.

Ideal Use Cases

  • Storage & Distribution of static web content and media
    • frequently used to host static websites and provides a highly-available and highly-scalable solution for websites with only static content, including HTML files, images, videos, and client-side scripts such as JavaScript
    • works well for fast growing websites hosting data intensive, user-generated content, such as video and photo sharing sites as no storage provisioning is required
    • content can either be directly served from Amazon S3 since each object in Amazon S3 has a unique HTTP URL address
    • can also act as an Origin store for the Content Delivery Network (CDN) such as Amazon CloudFront
    • it works particularly well for hosting web content with extremely spiky bandwidth demands because of S3’s elasticity
  • Data Store for Large Objects
    • can be paired with RDS or NoSQL database and used to store large objects for e.g. file or objects, while the associated metadata for e.g. name, tags, comments etc. can be stored in RDS or NoSQL database where it can be indexed and queried providing faster access to relevant data
  • Data store for computation and large-scale analytics
    • commonly used as a data store for computation and large-scale analytics, such as analyzing financial transactions, clickstream analytics, and media transcoding.
    • data can be accessed from multiple computing nodes concurrently without being constrained by a single connection because of its horizontal scalability
    • S3 Tables (launched Dec 2024) provides storage optimized for tabular data in Apache Iceberg format, with up to 3x faster query throughput for analytics workloads
  • Backup and Archival of critical data
    • used as a highly durable, scalable, and secure solution for backup and archival of critical data, and to provide disaster recovery solutions for business continuity.
    • stores objects redundantly on multiple devices across multiple facilities, it provides the highly-durable storage infrastructure needed for these scenarios.
    • it’s versioning capability is available to protect critical data from inadvertent deletion
  • AI and Machine Learning
    • S3 Vectors (GA Dec 2025) provides native vector storage with subsecond query performance for AI embeddings, reducing costs up to 90% compared to dedicated vector databases
    • integrated with Amazon Bedrock Knowledge Bases for retrieval augmented generation (RAG) workloads
  • Data Lakes
    • S3 serves as the foundation for building data lakes, with native integration with analytics services like Amazon Athena, Amazon EMR, and Amazon Redshift Spectrum
    • Mountpoint for Amazon S3 (GA Aug 2023) allows mounting S3 buckets as local file systems on Linux compute instances for high-throughput workloads

Anti-Patterns

Amazon S3 has following Anti-Patterns where it is not an optimal solution

  • Dynamic website hosting
    • While Amazon S3 is ideal for hosting static websites, dynamic websites requiring server side interaction, scripting or database interaction cannot be hosted and should rather be hosted on Amazon EC2 or AWS Lambda with API Gateway
  • Rapidly Changing Data
    • Data that needs to updated frequently might be better served by a storage solution with lower read/write latencies, such as Amazon EBS volumes, RDS, or DynamoDB.
  • File System Requirements
    • Amazon S3 uses a flat namespace and isn’t meant to serve as a standalone, POSIX-compliant file system. However, by using delimiters (commonly the ‘/’ character) you can emulate hierarchical folder structures within a bucket.
    • NOTE: Mountpoint for Amazon S3 provides file system access for read-heavy workloads, but is not a full POSIX file system. For full POSIX compliance, consider Amazon EFS or Amazon FSx.

Performance

  • Access to Amazon S3 from within Amazon EC2 in the same region is fast.
  • Amazon S3 is designed so that server-side latencies are insignificant relative to Internet latencies.
  • Amazon S3 automatically scales to high request rates — your application can achieve at least 3,500 PUT/COPY/POST/DELETE and 5,500 GET/HEAD requests per second per partitioned prefix in a bucket. There are no limits to the number of prefixes in a bucket.
  • If Amazon S3 is accessed using multiple threads, multiple applications, or multiple clients concurrently, total Amazon S3 aggregate throughput will typically scale to rates that far exceed what any single server can generate or consume.
  • S3 Express One Zone provides single-digit millisecond latency and up to 10x faster performance than S3 Standard for latency-sensitive workloads.
  • S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket using CloudFront’s globally distributed edge locations.

Durability & Availability

  • Amazon S3 storage provides the highest level of data durability and availability, by automatically and synchronously storing your data across a minimum of three Availability Zones within the selected geographical region
  • Amazon S3 is designed to sustain the concurrent loss of data in two facilities, making it very well-suited to serve as the primary data storage for mission-critical data.
  • Amazon S3 is designed for 99.999999999% (11 nines) durability per object and 99.99% availability over a one-year period.
  • Amazon S3 data can be protected from unintended deletions or overwrites using Versioning.
  • Versioning can be enabled with MFA (Multi Factor Authentication) Delete on the bucket, which would require two forms of authentication to delete an object
  • S3 Object Lock provides write-once-read-many (WORM) protection to prevent objects from being deleted or overwritten for a fixed period or indefinitely (Governance or Compliance mode).
  • For Non Critical and Reproducible data, S3 Reduced Redundancy Storage (RRS) was previously available but is no longer recommended. Use S3 One Zone-IA instead for non-critical, reproducible data at lower cost with 99.5% availability.

Cost Model

  • With Amazon S3, you pay only for what you use and there is no minimum fee.
  • Amazon S3 pricing components include: storage (per GB per month, varies by storage class), data transfer out (per GB per month), requests and data retrievals (per n thousand requests per month), and optional management/analytics features.
  • S3 Intelligent-Tiering has a small monthly monitoring and automation charge per object but no retrieval fees, making it ideal for data with unknown or changing access patterns.

Scalability & Elasticity

  • Amazon S3 has been designed to offer a very high level of scalability and elasticity automatically
  • Amazon S3 supports a virtually unlimited number of files in any bucket
  • Amazon S3 bucket can store a virtually unlimited number of bytes
  • Amazon S3 allows you to store any number of objects (files) in a single bucket, and Amazon S3 will automatically manage scaling and distributing redundant copies of your information across multiple AZs in the same region, all using Amazon’s high-performance infrastructure.

Security & Access Management

  • Default Encryption: Since January 5, 2023, all new objects are automatically encrypted with SSE-S3. Options include SSE-S3, SSE-KMS (AWS KMS keys), SSE-C (customer-provided keys), and client-side encryption.
  • SSE-C Disabled by Default: As of April 2026, SSE-C is disabled by default on all new S3 general purpose buckets for improved security.
  • S3 Access Points: Simplify managing data access at scale by creating named access points with distinct permissions and network controls for different applications or teams.
  • S3 Block Public Access: Bucket-level and account-level settings to prevent public access.
  • Bucket Policies & ACLs: Fine-grained access control using IAM policies, bucket policies, and (legacy) Access Control Lists.
  • VPC Endpoints: Access S3 privately from within a VPC without traversing the public internet.

Interfaces

  • Amazon S3 provides standards-based REST APIs for both management and data operations.
  • NOTE – SOAP support over HTTP was deprecated. New Amazon S3 features are not supported for SOAP. Use the REST API or the AWS SDKs.
  • Amazon S3 provides SDKs in multiple languages (Java, Python, .NET, Go, JavaScript/TypeScript, PHP, Ruby, and more) that wrap the underlying APIs
  • AWS CLI provides high-level S3 file commands (ls, cp, mv, sync, etc.) with support for parallel transfers and recursive operations.
  • AWS Management Console provides a web-based interface for managing S3 buckets and objects
  • Mountpoint for Amazon S3 – open-source file client that mounts S3 buckets as local file systems on Linux, optimized for high-throughput read-heavy workloads (GA August 2023).
  • All interfaces provide the ability to store Amazon S3 objects in uniquely-named buckets, with each object identified by a unique Object key within that bucket.

S3 Data Query & Analytics

  • Amazon Athena – Serverless query service to analyze data in S3 using standard SQL without loading data into a database.
  • S3 Tables (Dec 2024) – Fully managed Apache Iceberg tables optimized for analytics, with up to 3x faster query throughput. Supports Intelligent-Tiering and replication.
  • S3 Vectors (GA Dec 2025) – Native vector storage and query for AI embeddings with subsecond performance, up to 2 billion vectors per index.
  • S3 Storage Lens – Cloud storage analytics providing organization-wide visibility into object storage usage, activity, and cost optimization recommendations.
  • S3 Select – Closed to new customers as of July 25, 2024. Use Amazon Athena, S3 Object Lambda, or client-side filtering as alternatives.

Amazon S3 Glacier

⚠️ Standalone Amazon Glacier Vaults – No Longer Available to New Customers

As of December 15, 2025, the original standalone vault-based Amazon Glacier service stopped accepting new customers. Existing customers can continue using it, but no migration is required.

Recommendation: Use the S3 Glacier storage classes (Instant Retrieval, Flexible Retrieval, Deep Archive) which are fully integrated with Amazon S3 and provide the same low-cost archival storage with better management capabilities.

AWS provides a Data Transfer from Amazon S3 Glacier Vaults to Amazon S3 guidance for migrating existing vault data to S3 buckets.

Amazon S3 Glacier storage classes provide extremely low-cost storage for data archival and long-term backup:

  • S3 Glacier Instant Retrieval – Millisecond access for archive data accessed once per quarter. Up to 68% lower cost than S3 Standard-IA. Minimum 90-day storage.
  • S3 Glacier Flexible Retrieval (formerly S3 Glacier) – For archive data accessed once or twice per year. Retrieval options:
    • Expedited: 1-5 minutes
    • Standard: 3-5 hours
    • Bulk: 5-12 hours (free)

    Minimum 90-day storage duration.

  • S3 Glacier Deep Archive – Lowest-cost storage for data retained for 7-10+ years. Retrieval options:
    • Standard: Within 12 hours
    • Bulk: Within 48 hours

    Minimum 180-day storage duration.

Ideal Usage Patterns

  • Amazon S3 Glacier classes are ideally suited for long-term archival storage for infrequently accessed data including:
    • Offsite enterprise information archiving
    • Media asset preservation
    • Research and scientific data retention
    • Digital preservation and magnetic tape replacement
    • Regulatory and compliance archives
    • Healthcare records, financial records retention
  • S3 Glacier Instant Retrieval is ideal for data like medical images, news media assets, or user-generated content archives that need millisecond access but are rarely retrieved.

Anti-Patterns

Amazon S3 Glacier storage classes have following Anti-Patterns where they are not an optimal solution

  • Rapidly changing data
    • Data that must be updated very frequently should use a storage solution with lower read/write latencies such as Amazon EBS, DynamoDB, or S3 Standard
  • Real time access (Flexible Retrieval and Deep Archive)
    • Data stored in Glacier Flexible Retrieval or Deep Archive cannot be accessed in real time and requires a restore request with retrieval times from minutes to hours. If immediate access is needed, use S3 Standard, S3 Glacier Instant Retrieval, or S3 Intelligent-Tiering.
  • Short-lived data
    • Glacier classes have minimum storage duration charges (90 days for Instant/Flexible, 180 days for Deep Archive). Data deleted before the minimum is charged for the remainder.

Performance

  • S3 Glacier Instant Retrieval: Millisecond access time, same performance as S3 Standard-IA.
  • S3 Glacier Flexible Retrieval: Expedited (1-5 min), Standard (3-5 hours), Bulk (5-12 hours, free).
  • S3 Glacier Deep Archive: Standard (within 12 hours), Bulk (within 48 hours).

Durability and Availability

  • All S3 Glacier storage classes redundantly store data across a minimum of three Availability Zones
  • Designed to provide 99.999999999% (11 nines) durability per object
  • Data is synchronously stored across multiple facilities before returning SUCCESS on upload.
  • Regular, systematic data integrity checks are performed and the system is built to be automatically self-healing.

Cost Model

  • S3 Glacier pricing components include: storage (per GB per month), data transfer out (per GB per month), requests (per thousand requests per month), and data retrievals (per GB retrieved).
  • S3 Glacier Flexible Retrieval Bulk retrievals are free.
  • Early deletion charges apply if objects are deleted before the minimum storage duration (90 days for Instant/Flexible, 180 days for Deep Archive).
  • S3 Glacier Deep Archive offers storage starting at approximately $0.00099 per GB per month (lowest cost in the cloud).

Scalability & Elasticity

  • Individual objects can be up to 5 TB in size.
  • There is no limit to the total amount of data stored — Amazon S3 Glacier scales automatically from gigabytes to petabytes.

Interfaces & Lifecycle Integration

  • S3 Glacier storage classes are fully managed through the Amazon S3 APIs and console — objects are transitioned to Glacier classes via S3 Lifecycle policies or direct PUT with storage class specification.
  • S3 Lifecycle policies can automatically transition objects from S3 Standard → S3 Standard-IA → S3 Glacier Instant Retrieval → S3 Glacier Flexible Retrieval → S3 Glacier Deep Archive based on age.
  • Restoring objects from Glacier Flexible Retrieval or Deep Archive creates a temporary copy in S3 Standard for a specified retention period; the archived object remains in Glacier.
  • S3 Batch Operations can restore archived objects at scale across millions of objects.
  • Objects in S3 Glacier classes are managed through S3 APIs — they appear in S3 bucket listings and can be managed with standard S3 tools.
  • For data migration into AWS at scale, use the AWS Snow Family (Snowball Edge, Snowcone) for physical data transport. AWS Import/Export (legacy disk-based service) has been replaced by the Snow Family.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. You want to pass queue messages that are 1GB each. How should you achieve this?
    1. Use Kinesis as a buffer stream for message bodies. Store the checkpoint id for the placement in the Kinesis Stream in SQS.
    2. Use the Amazon SQS Extended Client Library for Java and Amazon S3 as a storage mechanism for message bodies. (Amazon SQS messages with Amazon S3 can be useful for storing and retrieving messages with a message size of up to 2 GB. To manage Amazon SQS messages with Amazon S3, use the Amazon SQS Extended Client Library for Java. Refer link)
    3. Use SQS’s support for message partitioning and multi-part uploads on Amazon S3.
    4. Use AWS EFS as a shared pool storage medium. Store filesystem pointers to the files on disk in the SQS message bodies.
  2. Company ABCD has recently launched an online commerce site for bicycles on AWS. They have a “Product” DynamoDB table that stores details for each bicycle, such as, manufacturer, color, price, quantity and size to display in the online store. Due to customer demand, they want to include an image for each bicycle along with the existing details. Which approach below provides the least impact to provisioned throughput on the “Product” table?
    1. Serialize the image and store it in multiple DynamoDB tables
    2. Create an “Images” DynamoDB table to store the Image with a foreign key constraint to the “Product” table
    3. Add an image data type to the “Product” table to store the images in binary format
    4. Store the images in Amazon S3 and add an S3 URL pointer to the “Product” table item for each image
  3. A company has 500 TB of archival data that must be retained for 10 years for regulatory compliance. The data is rarely accessed but must be retrievable within 12 hours when needed. Which S3 storage class is the MOST cost-effective?
    1. S3 Standard-IA
    2. S3 Glacier Instant Retrieval
    3. S3 Glacier Flexible Retrieval
    4. S3 Glacier Deep Archive (For data retained 7-10+ years with retrieval within 12 hours, Deep Archive provides the lowest cost at approximately $0.00099/GB/month with Standard retrieval within 12 hours.)
  4. A media company stores user-uploaded photos that are frequently accessed for the first 30 days, occasionally accessed for the next 90 days, and rarely accessed after that. They want to minimize storage costs without operational overhead. Which solution is MOST appropriate?
    1. Store in S3 Standard and create lifecycle rules to transition to S3 Standard-IA after 30 days and S3 Glacier Flexible Retrieval after 120 days
    2. Store in S3 Intelligent-Tiering which automatically moves objects between Frequent, Infrequent, and Archive Instant Access tiers based on access patterns (S3 Intelligent-Tiering eliminates operational overhead by automatically optimizing costs based on changing access patterns with no retrieval charges.)
    3. Store in S3 One Zone-IA with lifecycle rules
    4. Store in S3 Standard and manually move objects between storage classes
  5. An organization needs to query CSV data stored in S3 without provisioning any infrastructure. The data is several terabytes and they need to run ad-hoc SQL queries. Which AWS service should they use?
    1. Amazon RDS
    2. Amazon Redshift
    3. Amazon Athena (Amazon Athena is a serverless query service that can run SQL queries directly against data in S3 without loading it into a database. It’s ideal for ad-hoc queries on S3 data.)
    4. S3 Select
  6. A healthcare company needs to store patient records in S3 that cannot be deleted or modified for 7 years due to compliance regulations. Which S3 feature should they use?
    1. S3 Versioning with MFA Delete
    2. S3 Bucket Policy denying delete operations
    3. S3 Object Lock in Compliance mode with a 7-year retention period (S3 Object Lock in Compliance mode provides WORM protection that cannot be overridden by any user, including the root account, ensuring objects cannot be deleted or overwritten for the retention period.)
    4. S3 Glacier Vault Lock
  7. A machine learning team needs to store and query billions of vector embeddings from their AI models with subsecond performance. Which AWS service is purpose-built for this use case?
    1. Amazon OpenSearch Service
    2. Amazon DynamoDB
    3. Amazon S3 with Athena
    4. Amazon S3 Vectors (S3 Vectors provides native vector storage and query capabilities with subsecond performance, supporting up to 2 billion vectors per index, purpose-built for AI embedding workloads at S3’s low cost.)

References

AWS EC2 Security

AWS EC2 Security

  • IAM helps control whether users in the organization can perform a task using specific EC2 API actions and whether they can use specific AWS resources.
  • Use IAM roles to prevent the need to share as well as manage, and rotate the security credentials that the applications use.
  • Security groups act as a virtual firewall that controls the traffic to the EC2 instances. They can help specify rules that control the inbound traffic that’s allowed to reach the instances and the outbound traffic that’s allowed to leave the instance.
  • Use AWS Systems Manager Session Manager to connect to the instance as it provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.
  • Use EC2 Instance Connect to connect to your instances using Secure Shell (SSH) without the need to share and manage SSH keys.
  • Use EC2 Instance Connect Endpoint to connect securely to instances in private subnets without requiring a public IP address, Internet Gateway, or bastion host.
  • Use AWS Systems Manager Run Command to automate common administrative tasks instead of opening inbound SSH ports and managing SSH keys.
  • Use Systems Manager Patch Manager to automate the process of patching, installing security-related updates for both the operating system and applications.
  • Use AWS Verified Access to provide secure, VPN-less, zero-trust access to EC2 instances over SSH, RDP, and other protocols.
  • Enforce IMDSv2 (Instance Metadata Service Version 2) to add defense-in-depth against unauthorized metadata access using session-oriented token-based requests.

EC2 Key Pairs

  • EC2 uses public-key cryptography to encrypt & decrypt login information
  • Public-key cryptography uses a public key to encrypt a piece of data, such as a password, then the recipient uses the private key to decrypt the data.
  • Public and private keys are known as a key pair.
  • To log in to an EC2 instance, a key pair needs to be created and specified when the instance is launched, and the private key can be used to connect to the instance.
  • Linux instances have no password, and the key pair is used for ssh log in
  • For Windows instances, the key pair can be used to obtain the administrator password and then log in using RDP
  • EC2 stores the public key only, and the private key resides with the user. EC2 doesn’t keep a copy of your private key
  • Public key content (on Linux instances) is placed in an entry within ~/.ssh/authorized_keys at boot time and enables the user to securely access the instance without passwords
  • Public key specified for an instance when launched is also available through its instance metadata http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
  • EC2 Security Best Practice: Store the private keys in a secure place as anyone who possesses the private key can decrypt the login information
  • Also, if the private key is lost, there is no way to recover the same.
    • For instance store, you cannot access the instance
    • For EBS-backed Linux instances, access can be regained.
      • EBS-backed instance can be stopped, its root volume detached and attached to another instance as a data volume
      • Modify the authorized_keys file, move the volume back to the original instance, and restart the instance
  • Key pair associated with the instances can either be
    • Generated by EC2
      • EC2 supports RSA (2048-bit SSH-2) and ED25519 key pair types.
      • ED25519 keys are not supported for Windows instances.
      • Key pairs can be generated in PEM or PPK format.
    • Created separately (using third-party tools) and Imported into EC2
      • EC2 accepts RSA and ED25519 keys for import (does not accept DSA keys)
      • RSA supported lengths: 1024, 2048, and 4096
  • Supports five thousand key pairs per region
  • Key pair management features include viewing creation date and public key material for existing and new key pairs.
  • Deleting a key pair only deletes the public key and does not impact the servers already launched with the key.
  • Use AWS Systems Manager Session Manager to connect to the instance as it provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.

EC2 Instance Connect

  • EC2 Instance Connect provides a simple and secure way to connect to instances using SSH without the need to share and manage SSH keys.
  • Generates a one-time-use SSH public key and pushes it to the instance metadata, where it remains available for 60 seconds.
  • IAM policies control which users can access and connect to specific instances.
  • All connection requests using EC2 Instance Connect are logged to AWS CloudTrail for auditing.
  • Supports IPv6 connectivity (added Sep 2024), allowing connections to instances with IPv6 addresses.
  • Available at no additional cost.

EC2 Instance Connect Endpoint

  • EC2 Instance Connect Endpoint (EIC Endpoint), launched in June 2023, allows secure connectivity from the Internet to instances in private subnets.
  • Eliminates the need for an Internet Gateway (IGW) in the VPC, a public IP address on the resource, a bastion host, or any agent to connect to instances.
  • Supports SSH (Linux) and RDP (Windows) connectivity without public IP addresses.
  • Uses IAM-based authentication to establish secure connections.
  • Supports IPv6 connectivity (added Oct 2025) — EIC Endpoints can be configured as dual-stack or IPv6-only.
  • IAM policies can restrict which instances users can connect to through the endpoint.
  • Available at no additional cost.
  • Replaces traditional bastion host architecture for many use cases, reducing operational overhead and attack surface.

EC2 Security Groups

  • An EC2 instance, when launched, can be associated with one or more security groups, which acts as a virtual firewall that controls the traffic to that instance
  • Security groups help specify rules that control the inbound traffic that’s allowed to reach the instances and the outbound traffic that’s allowed to leave the instance
  • Security groups are associated with network interfaces. Changing an instance’s security groups changes the security groups associated with the primary network interface (eth0)
  • An ENI can be associated with 5 security groups and with 60 inbound and 60 outbound rules per security group (120 total rules per security group)
  • A single network interface cannot have more than 1000 combined rules from all attached Security Groups.
  • Rules for a security group can be modified at any time; the new rules are automatically applied to all instances associated with the security group.
  • All the rules from all associated security groups are evaluated to decide where to allow traffic to an instance
  • Security Group features
    • For the VPC default security group, it allows all inbound traffic from other instances associated with the default security group
    • By default, VPC default security groups or newly created security groups allow all outbound traffic
    • Security group rules are always permissive; deny rules can’t be created
    • Rules can be added and removed any time.
    • Any modification to the rules are automatically applied to the instances associated with the security group after a short period, depending on the connection tracking for the traffic
    • Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. For VPC security groups, this also means that responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules
    • If multiple rules are defined for the same protocol and port, the Most permissive rule is applied for e.g. for multiple rules for tcp and port 22 for specific IP and Everyone, everyone is granted access being the most permissive rule

Security Group VPC Associations (Oct 2024)

  • Security groups can now be associated with multiple VPCs in the same account and AWS Region using Security Group VPC Associations.
  • Enables enforcing consistent traffic filtering rules for workloads regardless of the VPC.
  • Security groups can be shared with participant accounts using AWS Resource Access Manager (RAM) in shared VPC environments.
  • Cannot share security groups that are in a default VPC.
  • Eliminates the need to duplicate security group rules across multiple VPCs.

Security Group Referencing across Transit Gateway (Sep 2024)

  • Security group referencing is now supported across VPCs connected by AWS Transit Gateway.
  • Allows creating inbound security rules that reference security groups defined in other VPCs attached to a Transit Gateway within the same Region.
  • Simplifies management and provides better security posture for TGW-based networks.
  • Also supported across AWS Cloud WAN (Jun 2025) for cross-VPC connectivity.

Related Resources View (Feb 2026)

  • The EC2 and VPC consoles now display a “Related resources” tab for security groups.
  • Provides a consolidated view of all resources that depend on a specific security group.
  • Eliminates the need to manually check multiple services before making security group configuration changes.

Connection Tracking

  • Security groups are Stateful and they use Connection tracking to track information about traffic to and from the instance.
  • This allows responses to inbound traffic to flow out of the instance regardless of outbound security group rules, and vice versa.
  • Connection Tracking is maintained only if there is no explicit Outbound rule for an Inbound request (and vice versa)
  • However, if there is an explicit Outbound rule for an Inbound request, the response traffic is allowed on the basis of the Outbound rule and not on the Tracking information
  • Any existing flow of traffic, that is tracked, is not interrupted even if the rules for the security groups are changed. To ensure traffic is immediately interrupted, use NACL as they are stateless and therefore do not allow automatic response traffic.
  • Also, If the instance (host A) initiates traffic to host B and uses a protocol other than TCP, UDP, or ICMP, the instance’s firewall only tracks the IP address and protocol number for the purpose of allowing response traffic from host B. If host B initiates traffic to your instance in a separate request within 600 seconds of the original request or response, your instance accepts it regardless of inbound security group rules, because it’s regarded as response traffic.
  • Can be controlled by modifying the security group’s outbound rules to permit only certain types of outbound traffic or using NACL

Configurable Idle Timeouts (Nov 2023)

  • Idle timeouts for connection tracking are now configurable on a per Elastic Network Interface (ENI) basis.
  • Configurable timeout settings:
    • TCP Established: Min 60 seconds, Max 432,000 seconds (5 days). Default: 432,000 seconds (pre-Nitro v6) or 350 seconds (Nitro v6 instances).
    • UDP Stream: Min 60 seconds, Max 180 seconds. Default: 180 seconds.
    • UDP Unidirectional: Min 30 seconds, Max 60 seconds. Default: 30 seconds.
  • Important (Jun 2025): Sixth-generation Nitro (Nitro v6) instances (c8, r8, etc.) changed the default TCP connection tracking idle timeout from 432,000 seconds (5 days) to 350 seconds. If a TCP connection remains idle for more than 350 seconds, the ENI evicts the session from its tracking table.
  • Applications with long-lived idle connections on Nitro v6 instances should either configure keep-alive mechanisms or adjust the idle timeout setting.

Instance Metadata Service v2 (IMDSv2)

  • IMDSv2 is an enhancement to the Instance Metadata Service that uses session-oriented token-based requests to add defense-in-depth against unauthorized metadata access.
  • IMDSv2 requires a session token obtained via a PUT request before metadata can be retrieved, protecting against SSRF attacks and unauthorized access.
  • Sessions can last up to six hours and tokens can only be used from the EC2 instance where the session began.
  • Session token PUT requests are blocked if they contain an X-forwarded-for header (mitigates reverse proxy exploitation).
  • IMDSv2 enforcement timeline:
    • Mar 2024: Account-level setting available to set IMDSv2 as default for all new instance launches.
    • Mid-2024: All newly released EC2 instance types require IMDSv2 only (IMDSv1 disabled).
    • AWS Console Quick Starts and other launch pathways default to IMDSv2.
  • Methods to enforce IMDSv2:
    • Set account-level default using ModifyInstanceMetadataDefaults API
    • Set AMI-level property to require IMDSv2
    • Set instance metadata options during launch
    • Use declarative policies via AWS Organizations for multi-account, multi-region enforcement
  • When IMDSv2 is required, IMDSv1 is disabled — applications relying on IMDSv1 will break.
  • Default hop limit is set to 2 when IMDSv2 is required (supports containerized workloads).
  • Best Practice: Enforce IMDSv2 across all instances to prevent credential theft via SSRF attacks

IAM with EC2

  • IAM policy can be defined to allow or deny a user access to the EC2 resources and actions
  • EC2 partially supports resource-level permissions. For some EC2 API actions, you cannot specify which resource a user is allowed to work with for that action; instead, you have to allow users to work with all resources for that action
  • IAM allows to control only what actions a user can perform on the EC2 resources but cannot be used to grant access for users to be able to access or login to the instances

EC2 with IAM Role

  • EC2 instances can be launched with IAM roles so that the applications can securely make API requests from your instances.
  • IAM roles prevent the need to share as well as manage, rotate the security credentials that the applications use.
  • IAM role can be added to an existing running EC2 instance.
  • EC2 uses an instance profile as a container for an IAM role.
    • Creation of an IAM role using the console, creates an instance profile automatically and gives it the same name as the role it corresponds to.
    • When using the AWS CLI, API, or an AWS SDK to create a role, the role and instance profile needs to be created as separate actions, and they can be given different names.
    • One role per instance profile (this limit cannot be increased).
  • To launch an instance with an IAM role, the name of its instance profile needs to be specified.
  • An application on the instance can retrieve the security credentials provided by the role from the instance metadata item http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name.
  • Security credentials are temporary and are rotated automatically and new credentials are made available at least five minutes prior to the expiration of the old credentials.
  • EC2 IAM role credentials are not subject to maximum session durations configured in the role.
  • Best Practice: Always launch EC2 instance with IAM role instead of hardcoded credentials

EC2 IAM Role S3 Access

AWS Verified Access

  • AWS Verified Access provides secure, VPN-less access to corporate applications and resources using zero-trust principles (“never trust, always verify”).
  • Evaluates each access request based on user identity and device health rather than network location.
  • Supports fine-grained access policies using the Cedar policy language.
  • Originally supported HTTP(S) applications only (GA April 2023).
  • Non-HTTP(S) protocol support (GA Feb 2025): Extends zero-trust access to SSH, RDP, JDBC, ODBC, and other TCP protocols.
    • Eliminates the need for VPNs or bastion hosts for SSH/RDP access to EC2 instances.
    • Simplifies security operations by using a single solution for all application types.
  • Integrates with third-party identity providers (IdPs) and device management solutions.
  • All access requests are logged for auditing and compliance.
  • Achieved FedRAMP High and Moderate authorization (Mar 2025).
  • Can be combined with AWS Network Firewall for deep packet inspection.

EC2 Resiliency

  • EC2 offers the following features to support your data resiliency:
    • Copying AMIs across Regions
    • Copying EBS snapshots across Regions
    • Automating EBS-backed AMIs using Data Lifecycle Manager
    • Automating EBS snapshots using Data Lifecycle Manager
    • Maintaining the health and availability of the fleet using EC2 Auto Scaling
    • Distributing incoming traffic across multiple instances in a single AZ or multiple AZs using Elastic Load Balancing
    • Using Recycle Bin to protect EBS snapshots, EBS-backed AMIs, and EBS Volumes from accidental deletion with configurable retention periods
    • Automatically deleting underlying EBS snapshots when deregistering AMIs (Jun 2025) to simplify cleanup

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. You launch an Amazon EC2 instance without an assigned AWS identity and Access Management (IAM) role. Later, you decide that the instance should be running with an IAM role. Which action must you take in order to have a running Amazon EC2 instance with an IAM role assigned to it?
    1. Create an image of the instance, and register the image with an IAM role assigned and an Amazon EBS volume mapping.
    2. Create a new IAM role with the same permissions as an existing IAM role, and assign it to the running instance. (As per AWS latest enhancement, this is possible now)
    3. Create an image of the instance, add a new IAM role with the same permissions as the desired IAM role, and deregister the image with the new role assigned.
    4. Create an image of the instance, and use this image to launch a new instance with the desired IAM role assigned (This was correct before, as it was not possible to add an IAM role to an existing instance)
  2. What does the following command do with respect to the Amazon EC2 security groups? ec2-revoke RevokeSecurityGroupIngress
    1. Removes one or more security groups from a rule.
    2. Removes one or more security groups from an Amazon EC2 instance.
    3. Removes one or more rules from a security group
    4. Removes a security group from our account.
  3. Which of the following cannot be used in Amazon EC2 to control who has access to specific Amazon EC2 instances?
    1. Security Groups
    2. IAM System
    3. SSH keys
    4. Windows passwords
  4. You must assign each server to at least _____ security group
    1. 3
    2. 2
    3. 4
    4. 1
  5. A company is building software on AWS that requires access to various AWS services. Which configuration should be used to ensure that AWS credentials (i.e., Access Key ID/Secret Access Key combination) are not compromised?
    1. Enable Multi-Factor Authentication for your AWS root account.
    2. Assign an IAM role to the Amazon EC2 instance
    3. Store the AWS Access Key ID/Secret Access Key combination in software comments.
    4. Assign an IAM user to the Amazon EC2 Instance.
  6. Which of the following items are required to allow an application deployed on an EC2 instance to write data to a DynamoDB table? Assume that no security keys are allowed to be stored on the EC2 instance. (Choose 2 answers)
    1. Create an IAM Role that allows write access to the DynamoDB table
    2. Add an IAM Role to a running EC2 instance. (As per AWS latest enhancement, this is possible now)
    3. Create an IAM User that allows write access to the DynamoDB table.
    4. Add an IAM User to a running EC2 instance.
    5. Launch an EC2 Instance with the IAM Role included in the launch configuration (This was correct before, as it was not possible to add an IAM role to an existing instance)
  7. You have an application running on an EC2 Instance, which will allow users to download files from a private S3 bucket using a pre-assigned URL. Before generating the URL the application should verify the existence of the file in S3. How should the application use AWS credentials to access the S3 bucket securely?
    1. Use the AWS account access Keys the application retrieves the credentials from the source code of the application.
    2. Create a IAM user for the application with permissions that allow list access to the S3 bucket launch the instance as the IAM user and retrieve the IAM user’s credentials from the EC2 instance user data.
    3. Create an IAM role for EC2 that allows list access to objects in the S3 bucket. Launch the instance with the role, and retrieve the role’s credentials from the EC2 Instance metadata
    4. Create an IAM user for the application with permissions that allow list access to the S3 bucket. The application retrieves the IAM user credentials from a temporary directory with permissions that allow read access only to the application user.
  8. A user has created an application, which will be hosted on EC2. The application makes calls to DynamoDB to fetch certain data. The application is using the DynamoDB SDK to connect with from the EC2 instance. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?
    1. The user should attach an IAM role with DynamoDB access to the EC2 instance
    2. The user should create an IAM user with DynamoDB access and use its credentials within the application to connect with DynamoDB
    3. The user should create an IAM role, which has EC2 access so that it will allow deploying the application
    4. The user should create an IAM user with DynamoDB and EC2 access. Attach the user with the application so that it does not use the root account credentials
  9. Your application is leveraging IAM Roles for EC2 for accessing object stored in S3. Which two of the following IAM policies control access to you S3 objects.
    1. An IAM trust policy allows the EC2 instance to assume an EC2 instance role.
    2. An IAM access policy allows the EC2 role to access S3 objects
    3. An IAM bucket policy allows the EC2 role to access S3 objects. (Bucket policy is defined with S3 and not with IAM)
    4. An IAM trust policy allows applications running on the EC2 instance to assume as EC2 role (Trust policy allows EC2 instance to assume the role)
    5. An IAM trust policy allows applications running on the EC2 instance to access S3 objects. (Applications can access S3 through EC2 assuming the role)
  10. You have an application running on an EC2 Instance, which will allow users to download files from a private S3 bucket using a pre-assigned URL. Before generating the URL the application should verify the existence of the file in S3. How should the application use AWS credentials to access the S3 bucket securely?
    1. Use the AWS account access Keys the application retrieves the credentials from the source code of the application.
    2. Create a IAM user for the application with permissions that allow list access to the S3 bucket launch the instance as the IAM user and retrieve the IAM user’s credentials from the EC2 instance user data.
    3. Create an IAM role for EC2 that allows list access to objects in the S3 bucket. Launch the instance with the role, and retrieve the role’s credentials from the EC2 Instance metadata
    4. Create an IAM user for the application with permissions that allow list access to the S3 bucket. The application retrieves the IAM user credentials from a temporary directory with permissions that allow read access only to the application user.

New Practice Questions

  1. A company wants to provide secure SSH access to EC2 instances in private subnets without using bastion hosts, VPNs, or public IP addresses. Which AWS service should they use?
    1. AWS Direct Connect
    2. AWS Site-to-Site VPN
    3. EC2 Instance Connect Endpoint
    4. AWS PrivateLink
  2. A security team wants to protect EC2 instances from credential theft through SSRF (Server-Side Request Forgery) attacks targeting the instance metadata service. Which approach should they implement?
    1. Disable the instance metadata service entirely
    2. Use security groups to block metadata access
    3. Enforce IMDSv2 which requires session tokens for metadata access
    4. Encrypt the metadata service endpoint
  3. An organization uses multiple VPCs within the same account and region and wants to maintain consistent security group rules across all VPCs without duplication. Which feature should they use?
    1. VPC Peering with security group referencing
    2. Security Group VPC Associations
    3. AWS Network Firewall
    4. AWS Config rules
  4. A company is migrating to sixth-generation Nitro (Nitro v6) EC2 instances and experiencing dropped TCP connections for long-running idle workloads. What is the most likely cause?
    1. Security group rules are being modified
    2. Network ACLs are timing out
    3. The default TCP connection tracking idle timeout changed from 432,000 seconds to 350 seconds on Nitro v6 instances
    4. The instance is being stopped by Auto Scaling
  5. A company wants to implement zero-trust access for SSH and RDP connections to EC2 instances, evaluating user identity and device security posture for each request without requiring a VPN. Which AWS service provides this capability?
    1. EC2 Instance Connect Endpoint
    2. AWS Systems Manager Session Manager
    3. AWS Verified Access
    4. AWS Client VPN
  6. Which of the following key pair types are supported for EC2 Linux instances? (Choose 2)
    1. DSA
    2. RSA
    3. ED25519
    4. ECDSA

AWS Encrypting Data at Rest – Whitepaper – Certification

Encrypting Data at Rest

🔄 Major Updates (2023-2026)

  • Amazon S3 now automatically encrypts ALL new objects with SSE-S3 by default (Jan 2023). SSE-C disabled by default on new buckets (April 2026).
  • Amazon S3 DSSE-KMS — new dual-layer server-side encryption option (June 2023).
  • AWS KMS — now FIPS 140-3 Level 3 validated. Supports flexible automatic key rotation (90 days to 7 years) and on-demand rotation (April 2024). Post-quantum cryptography support with ML-KEM and ML-DSA (2025-2026).
  • AWS CloudHSM — new hsm2m.medium instance type (Aug 2024) with FIPS 140-3 Level 3 certification and non-FIPS mode.
  • Amazon Aurora — encryption at rest enabled by default for all new clusters (Feb 2026).
  • Amazon EBS — supports encryption by default for all new volumes (opt-in per region), including boot volumes.
  • Amazon Glacier (standalone vault-based service) — stopped accepting new customers Dec 15, 2025. Use S3 Glacier storage classes instead.
  • AWS delivers a secure, scalable cloud computing platform with high availability, offering the flexibility for you to build a wide range of applications
  • AWS allows several options for encrypting data at rest, for additional layer of security, ranging from completely automated AWS encryption solution to manual client-side options
  • Encryption requires 3 things
    • Data to encrypt
    • Encryption keys
    • Cryptographic algorithm method to encrypt the data
  • AWS provides different models for Securing data at rest on the following parameters
    • Encryption method
      • Encryption algorithm selection involves evaluating security, performance, and compliance requirements specific to your application
    • Key Management Infrastructure (KMI)
      • KMI enables managing & protecting the encryption keys from unauthorized access
      • KMI provides
        • Storage layer that protects plain text keys
        • Management layer that authorize key usage
  • Hardware Security Module (HSM)
    • Common way to protect keys in a KMI is using HSM
    • An HSM is a dedicated storage and data processing device that performs cryptographic operations using keys on the device.
    • An HSM typically provides tamper evidence, or resistance, to protect keys from unauthorized use.
    • A software-based authorization layer controls who can administer the HSM and which users or applications can use which keys in the HSM
  • AWS CloudHSM
    • AWS CloudHSM appliance has both physical and logical tamper detection and response mechanisms that trigger zeroization of the appliance.
    • Zeroization erases the HSM’s volatile memory where any keys in the process of being decrypted were stored and destroys the key that encrypts stored objects, effectively causing all keys on the HSM to be inaccessible and unrecoverable.
    • AWS CloudHSM can be used to generate and store key material and can perform encryption and decryption operations.
    • AWS CloudHSM, however, does not perform any key lifecycle management functions (e.g., access control policy, key rotation) and needs a compatible KMI.
    • KMI can be deployed either on-premises or within Amazon EC2 and can communicate to the AWS CloudHSM instance securely over SSL to help protect data and encryption keys.
    • Update (Aug 2024): AWS CloudHSM launched a new hsm2m.medium instance type with FIPS 140-3 Level 3 certification, non-FIPS mode option, increased key storage (16,666 keys), and mTLS support. The previous hsm1.medium type should be migrated to the new instance type.
    • AWS CloudHSM clusters are backed by HSMs certified at FIPS 140-3 Level 3 (previously FIPS 140-2 Level 2/3).
  • AWS Key Management Service (KMS)
    • AWS KMS is a managed encryption service that allows you to provision and use keys to encrypt data in AWS services and your applications.
    • Master keys (now called KMS keys), after creation, are designed to never be exported from the service.
    • AWS KMS gives you centralized control over who can access your KMS keys to encrypt and decrypt data, and it gives you the ability to audit this access.
    • Data can be sent into the KMS to be encrypted or decrypted under a specific KMS key under your account.
    • AWS KMS is natively integrated with other AWS services (for e.g. Amazon EBS, Amazon S3, Amazon RDS, and Amazon Redshift) and AWS SDKs to simplify encryption of your data within those services or custom applications.
    • AWS KMS provides global availability, low latency, and a high level of durability for your keys.
    • AWS KMS HSMs are now validated at FIPS 140-3 Security Level 3 (upgraded from FIPS 140-2 Level 2 in 2023).
    • Key Rotation (2024 Update):
      • Customizable automatic rotation period from 90 days to 7 years (2560 days), previously fixed at 1 year.
      • On-demand key rotation available for immediate rotation of customer managed symmetric encryption keys.
      • Key rotation history tracking available via console and API.
    • External Key Store (XKS): Allows you to store and use encryption keys in an HSM or key manager outside AWS, while still using KMS APIs. Useful for regulatory requirements mandating key storage outside cloud provider infrastructure.
    • Post-Quantum Cryptography (2025-2026):
      • ML-KEM (Module-Lattice Key-Encapsulation Mechanism) support for post-quantum TLS connections to KMS.
      • ML-DSA (Module-Lattice Digital Signature Algorithm) support for quantum-resistant digital signatures (June 2025).
      • CRYSTALS-Kyber support will be removed in 2026 in favor of ML-KEM.
    • Key Store Options:
      • Default KMS key store (FIPS 140-3 Level 3 HSMs managed by AWS)
      • CloudHSM key store (custom key store backed by your CloudHSM cluster)
      • External key store (XKS — keys stored outside AWS)

Encryption Models in AWS

Encryption models in AWS depends on how you/AWS provides the encryption method and the KMI

  • You control the encryption method and the entire KMI
  • You control the encryption method, AWS provides the storage component of the KMI, and you provide the management layer of the KMI.
  • AWS controls the encryption method and the entire KMI.

Model A: You control the encryption method and the entire KMI

  • You use your own KMI to generate, store, and manage access to keys as well as control all encryption methods in your applications
  • Proper storage, management, and use of keys to ensure the confidentiality, integrity, and availability of your data is your responsibility
  • AWS has no access to your keys and cannot perform encryption or decryption on your behalf.
  • Amazon S3
    • Encryption of the data is done before the object is sent to AWS S3
    • Encryption of the data can be done using any encryption method and the encrypted data can be uploaded using the PUT request in the Amazon S3 API
    • Key used to encrypt the data needs to be stored securely in your KMI
    • To decrypt this data, the encrypted object can be downloaded from Amazon S3 using the GET request in the Amazon S3 API and then decrypted using the key in your KMI
    • AWS provides Client-side encryption handling, where you can provide your key to the AWS S3 encryption client which will encrypt and decrypt the data on your behalf. However, AWS never has access to the keys or the unencrypted data
  • Amazon EBS
    • Amazon Elastic Block Store (Amazon EBS) provides block-level storage volumes for use with Amazon EC2 instances. Amazon EBS volumes are network-attached, and persist independently from the life of an instance.
    • Because Amazon EBS volumes are presented to an instance as a block device, you can leverage most standard encryption tools for file system-level or block-level encryption
    • Block level encryption
      • Block level encryption tools usually operate below the file system layer using kernel space device drivers to perform encryption and decryption of data.
      • These tools are useful when you want all data written to a volume to be encrypted regardless of what directory the data is stored in
    • File System level encryption
      • File system level encryption usually works by stacking an encrypted file system on top of an existing file system.
      • This method is typically used to encrypt a specific directory
    • These solutions require you to provide keys, either manually or from your KMI.
    • Both block-level and file system-level encryption tools can only be used to encrypt data volumes that are not Amazon EBS boot volumes
    • Update: Amazon EBS now supports native encryption for both boot and data volumes through its built-in encryption feature integrated with AWS KMS. The limitation of third-party tools not supporting boot volume encryption is less relevant as EBS native encryption is the recommended approach.
  • AWS Storage Gateway
    • AWS Storage Gateway is a service connecting an on-premises software appliance with Amazon S3. Data on disk volumes attached to the AWS Storage Gateway will be automatically uploaded to Amazon S3 based on policy
    • Encryption of the source data on the disk volumes can be either done before writing to the disk or using block level encryption on the iSCSI endpoint that AWS Storage Gateway exposes to encrypt all data on the disk volume.
  • Amazon RDS
    • Amazon RDS doesn’t expose the attached disk it uses for data storage, transparent disk encryption using techniques for EBS section cannot be applied.
    • However, individual fields data can be encrypted before the data is written to RDS and decrypted after reading it.
    • Update: Amazon RDS now supports native KMS-based encryption at rest for all database engines. All new Amazon Aurora clusters are encrypted by default (Feb 2026).

Model B: You control the encryption method, AWS provides the KMI storage component, and you provide the KMI management layer

  • Model B is similar to Model A where the encryption method is managed by you
  • Model B differs in the approach to Model A where the keys are maintained in AWS CloudHSM rather than the on-premise key storage system
  • Only you have access to the cryptographic partitions within the dedicated HSM to use the keys
  • Update: With the new hsm2m.medium instance type (Aug 2024), CloudHSM provides FIPS 140-3 Level 3 certification, non-FIPS mode option, and increased key storage capacity (16,666 keys).

Model C: AWS controls the encryption method and the entire KMI

  • AWS provides and manages the server-side encryption of your data, transparently managing the encryption method and the keys.
  • AWS KMS and other services that encrypt your data directly use a method called envelope encryption to provide a balance between performance and security.
  • Envelope Encryption method
    • A master key (KMS key) is defined either by you or AWS
    • A data key (data encryption key) is generated by the AWS service at the time when data encryption is requested
    • Data key is used to encrypt your data.
    • Data key is then encrypted with a key-encrypting key (KMS key) unique to the service storing your data.
    • Encrypted data key and the encrypted data are then stored by the AWS storage service on your behalf.
  • KMS keys used to encrypt data keys are stored and managed separately from the data and the data keys
  • For decryption of the data, the process is reversed. Encrypted data key is decrypted using the KMS key; the data key is then used to decrypt your data
  • Authorized use of encryption keys is done automatically and is securely managed by AWS.
  • Because unauthorized access to those keys could lead to the disclosure of your data, AWS has built systems and processes with strong access controls that minimize the chance of unauthorized access and had these systems verified by third-party audits to achieve security certifications including SOC 1, 2, and 3, PCI-DSS, and FedRAMP.
  • Amazon S3
    • Important (Jan 2023): Amazon S3 now automatically encrypts ALL new objects with SSE-S3 as the base level of encryption. No action required — encryption is applied by default at no additional cost.
    • SSE-S3
      • AWS encrypts each object using a unique data key
      • Data key is encrypted with a periodically rotated master key managed by S3
      • Amazon S3 server-side encryption uses 256-bit Advanced Encryption Standard (AES) keys for both object and master keys
      • This is now the default encryption for all S3 objects
    • SSE-KMS
      • KMS keys are defined and managed in KMS for your account
      • Object Encryption
        • When an object is uploaded, a request is sent to KMS to create an object key.
        • KMS generates a unique object key and encrypts it using the KMS key; KMS then returns this encrypted object key along with the plaintext object key to Amazon S3.
        • Amazon S3 web server encrypts your object using the plaintext object key and stores the now encrypted object (with the encrypted object key) and deletes the plaintext object key from memory.
      • Object Decryption
        • To retrieve the encrypted object, Amazon S3 sends the encrypted object key to AWS KMS.
        • AWS KMS decrypts the object key using the correct KMS key and returns the decrypted (plaintext) object key to S3.
        • Amazon S3 decrypts the encrypted object, with the plaintext object key, and returns it to you.
    • DSSE-KMS (Dual-Layer Server-Side Encryption — New June 2023)
      • Applies two independent layers of encryption to objects using AES-256-GCM algorithm
      • Each layer uses a different implementation of AES-256-GCM for defense-in-depth
      • Both layers use KMS keys for key management
      • Designed to meet compliance requirements (e.g., NSA CNSSP 15) that mandate dual-layer encryption
      • Can be configured as bucket default encryption or specified per-object
    • SSE-C
      • Amazon S3 is provided an encryption key, while uploading the object
      • Encryption key is used by Amazon S3 to encrypt your data using AES-256
      • After object encryption, Amazon S3 deletes the encryption key
      • For downloading, you need to provide the same encryption key, which AWS matches, decrypts and returns the object
      • Update (April 2026): SSE-C is now disabled by default on all new S3 general purpose buckets. Existing buckets without SSE-C objects will also have SSE-C disabled. Must be explicitly enabled via bucket settings if needed.
    • S3 Bucket-Level Encryption Enforcement (Nov 2025): New setting to standardize encryption types (SSE-S3 or SSE-KMS only) for all write requests to a bucket.
  • Amazon EBS
    • When Amazon EBS volume is created, you can choose the KMS key to be used for encrypting the volume
    • Encryption by Default: You can enable EBS encryption by default per-region, so all newly created EBS volumes (including boot volumes) are automatically encrypted with the default KMS key or a specified key.
    • Volume encryption
      • Amazon EC2 server sends an authenticated request to AWS KMS to create a volume key.
      • AWS KMS generates this volume key, encrypts it using the KMS key, and returns the plaintext volume key and the encrypted volume key to the Amazon EC2 server.
      • Plaintext volume key is stored in memory to encrypt and decrypt all data going to and from your attached EBS volume.
    • Volume decryption
      • When the encrypted volume (or any encrypted snapshots derived from that volume) needs to be re-attached to an instance, a call is made to AWS KMS to decrypt the encrypted volume key.
      • AWS KMS decrypts this encrypted volume key with the correct KMS key and returns the decrypted volume key to Amazon EC2.
  • Amazon S3 Glacier
    • S3 Glacier provides encryption of the data, by default
    • Before it’s written to disk, data is always automatically encrypted using 256-bit AES keys unique to the service that are stored in separate systems under AWS control
    • S3 Glacier storage classes include: S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval (formerly S3 Glacier), and S3 Glacier Deep Archive
    • Note: The original standalone vault-based Amazon Glacier service stopped accepting new customers on December 15, 2025. Use S3 Glacier storage classes instead.
  • AWS Storage Gateway
    • AWS Storage Gateway transfers your data to AWS over SSL
    • AWS Storage Gateway stores data encrypted at rest in Amazon S3 or S3 Glacier using their respective server side encryption schemes.
  • Amazon RDS – Oracle
    • Oracle Advanced Security option for Oracle on Amazon RDS can be used to leverage the native Transparent Data Encryption (TDE) and Native Network Encryption (NNE) features
    • Oracle encryption module creates data and key-encrypting keys to encrypt the database
    • Key-encrypting keys specific to your Oracle instance on Amazon RDS are themselves encrypted by a periodically rotated 256-bit AES master key.
    • Master key is unique to the Amazon RDS service and is stored in separate systems under AWS control
    • Update: Amazon RDS also supports native KMS-based encryption at the storage layer (EBS-level encryption) as an alternative to Oracle TDE.
  • Amazon RDS – SQL Server
    • Transparent Data Encryption (TDE) can be provisioned for Microsoft SQL Server on Amazon RDS.
    • SQL Server encryption module creates data and key-encrypting keys to encrypt the database.
    • Key-encrypting keys specific to your SQL Server instance on Amazon RDS are themselves encrypted by a periodically rotated, regional 256-bit AES master key
    • Master key is unique to the Amazon RDS service and is stored in separate systems under AWS control
    • Update (Oct 2025): Amazon RDS for SQL Server now supports encrypting native backups using SSE-KMS.
  • Amazon Aurora (New – Feb 2026)
    • All new Aurora database clusters created on or after February 18, 2026 are encrypted at rest by default using AES-256 encryption
    • Uses AWS owned keys if no custom encryption is specified
    • Encryption is transparent with no performance impact
    • Existing unencrypted clusters are unaffected but can be migrated to encrypted clusters
    • Supports customer managed KMS keys for additional control

Sample Exam Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. How can you secure data at rest on an EBS volume?
    1. Encrypt the volume using the S3 server-side encryption service
    2. Attach the volume to an instance using EC2’s SSL interface.
    3. Create an IAM policy that restricts read and write access to the volume.
    4. Write the data randomly instead of sequentially.
    5. Use an encrypted file system on top of the EBS volume
  2. Your company policies require encryption of sensitive data at rest. You are considering the possible options for protecting data while storing it at rest on an EBS data volume, attached to an EC2 instance. Which of these options would allow you to encrypt your data at rest? (Choose 3 answers)
    1. Implement third party volume encryption tools
    2. Do nothing as EBS volumes are encrypted by default
    3. Encrypt data inside your applications before storing it on EBS
    4. Encrypt data using native data encryption drivers at the file system level
    5. Implement SSL/TLS for all services running on the server
  3. A company is storing data on Amazon Simple Storage Service (S3). The company’s security policy mandates that data is encrypted at rest. Which of the following methods can achieve this? Choose 3 answers
    1. Use Amazon S3 server-side encryption with AWS Key Management Service managed keys
    2. Use Amazon S3 server-side encryption with customer-provided keys
    3. Use Amazon S3 server-side encryption with EC2 key pair.
    4. Use Amazon S3 bucket policies to restrict access to the data at rest.
    5. Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key
    6. Use SSL to encrypt the data while in transit to Amazon S3.
  4. Which 2 services provide native encryption
    1. Amazon EBS
    2. Amazon S3 Glacier
    3. Amazon Redshift (is optional)
    4. Amazon RDS (is optional)
    5. Amazon Storage Gateway
  5. With which AWS services CloudHSM can be used (select 2)
    1. S3
    2. DynamoDb
    3. RDS
    4. ElastiCache
    5. Amazon Redshift
  6. A company needs to ensure all new objects uploaded to Amazon S3 are encrypted. What is the MOST operationally efficient approach? [Updated 2023+]
    1. Create a bucket policy denying unencrypted uploads
    2. No action needed — S3 automatically encrypts all new objects with SSE-S3 by default since January 2023
    3. Enable default encryption on each bucket manually
    4. Use AWS Config rules to detect unencrypted objects
  7. A company requires FIPS 140-3 Level 3 validated key management. Which options meet this requirement? (Choose 2) [Updated 2024+]
    1. AWS KMS default key store
    2. AWS Secrets Manager
    3. AWS CloudHSM with hsm2m.medium instance type
    4. Amazon S3 SSE-S3 managed keys
    5. AWS Certificate Manager
  8. An organization needs to rotate KMS keys every 90 days for compliance. How can this be achieved? [New 2024]
    1. Create a Lambda function to create new keys quarterly
    2. This is not possible as KMS only supports annual rotation
    3. Configure automatic key rotation with a custom period of 90 days using the rotation period setting
    4. Use AWS Config to trigger manual key rotation
  9. A regulated financial institution requires encryption keys to remain outside AWS infrastructure at all times. Which AWS KMS feature addresses this requirement? [New 2024]
    1. AWS KMS custom key store with CloudHSM
    2. AWS KMS imported key material (BYOK)
    3. AWS KMS External Key Store (XKS)
    4. AWS CloudHSM with on-premises HSM replication
  10. Which Amazon S3 encryption option applies two independent layers of server-side encryption to objects? [New 2023]
    1. SSE-S3 with bucket key
    2. SSE-KMS with automatic key rotation
    3. DSSE-KMS (Dual-Layer Server-Side Encryption with KMS)
    4. SSE-C with two different customer keys

References

AWS Interaction Tools – Certification

AWS Interaction Tools Overview

AWS is API-driven and provides multiple interaction tools to enable communication with its services. These tools range from graphical interfaces to programmatic access, supporting diverse workflows and automation needs.

AWS Management Console

  • AWS Management Console is a web-based graphical user interface (GUI) to access and manage AWS services
  • Requires credentials in the form of User Name and Password (or federated identity via IAM Identity Center) to log in
  • Uses Query APIs underlying for its interaction with AWS
  • Supports Multi-Factor Authentication (MFA) for enhanced security
  • Includes Amazon Q Developer integration providing AI-powered assistance for resource analysis, troubleshooting, and best practices guidance directly within the console
  • Features Console-to-Code (GA Oct 2024) — records console actions and uses generative AI to generate equivalent AWS CLI commands, CloudFormation templates, or CDK code
  • Received a visual update (2024-2025) with improved typography, visual hierarchy, and streamlined navigation
  • Supports visual customization to selectively display relevant AWS Regions and services, reducing cognitive load
  • Available via the AWS Console Mobile App, which evolved into an operational platform in 2025 with AI assistance, observability, and financial management capabilities

AWS Command Line Interface (CLI)

  • AWS Command Line Interface (CLI) is a unified tool that provides a consistent interface for interacting with all parts of AWS
  • Provides commands for a broad set of AWS products, and is supported on Windows, Mac, and Linux
  • AWS CLI v2 is the current recommended version (GA since Feb 2020) with enhanced features including:
    • AWS IAM Identity Center (SSO) integration for authentication
    • Client-side pager for output
    • New output formats (announced 2025) with improved error messaging using aws: [ERROR]: prefix
    • Account-based endpoints using AWS account ID (2025)
    • OAuth 2.0 authorization code flows with PKCE (v2.22.0+, 2025) as default for aws sso login
    • Upgrade debug mode to assist migration from v1 to v2
  • AWS CLI v1 will enter maintenance mode on July 15, 2026 and reach end-of-support on July 15, 2027. Users should migrate to CLI v2.
  • CLI requires Access Key & Secret Key credentials (or IAM Identity Center/SSO token) for interaction
  • CLI constructs and sends requests to AWS, signing requests using credentials provided
  • Handles connection details such as calculating signatures, request retries, and error handling
  • Integrates with Amazon Q Developer CLI (2025) providing agentic coding capabilities — can read/write files, query AWS resources, write code, and debug issues from the terminal

AWS CloudShell

  • AWS CloudShell is a browser-based, pre-authenticated shell launched directly from the AWS Management Console
  • Based on Amazon Linux 2023 (migrated from AL2 in 2024)
  • Pre-installed with AWS CLI v2, Python, Node.js, git, make, pip, and other development tools
  • Supports Bash, PowerShell, and Z shell
  • Provides 1 GB of persistent storage per Region at no additional cost
  • Supports VPC connectivity, Docker environments, and improved start times (2024)
  • Users are pre-authenticated — no need to configure credentials separately
  • Replaced AWS Cloud9 as the recommended browser-based development environment (Cloud9 closed to new customers in July 2024)

Software Development Kits (SDKs)

  • Software Development Kits (SDKs) simplify using AWS services in applications with an API tailored to your programming language or platform
  • SDKs currently support a wide range of languages including:
    • Java (SDK v2.x — GA since Nov 2018; v1.x reached end-of-support Dec 2025)
    • Python (Boto3)
    • JavaScript/TypeScript (SDK v3.x — GA since Dec 2020; v2 end-of-support Sept 2025)
    • .NET (SDK v4.x — GA April 2025; v3.x still supported)
    • Go (SDK v2 — GA since Jan 2021; v1 end-of-support July 2025)
    • PHP (SDK v3.x)
    • Ruby
    • C++ (SDK v1.x)
    • Rust (GA since Nov 2023) — idiomatic, type-safe API with async/await and non-blocking IO
    • Kotlin (GA since Nov 2023) — multiplatform support for JVM and Android
    • Swift (GA since Sept 2024) — for iOS, macOS, and server-side Swift applications
  • SDKs construct and send requests to AWS, signing requests using credentials provided
  • Handle connection details such as calculating signatures, request retries, and error handling
  • Follow the AWS SDKs and Tools maintenance policy with defined lifecycle phases (GA → Maintenance → End-of-Support)

Infrastructure as Code (IaC) Tools

  • AWS CloudFormation — declarative infrastructure provisioning using JSON/YAML templates
    • 2025 enhancements: early validation, improved drift management, AI-powered development with IaC MCP Server
  • AWS Cloud Development Kit (CDK) — define infrastructure using familiar programming languages (TypeScript, Python, Java, C#, Go)
    • CDK v2 consolidates all stable constructs into a single aws-cdk-lib package
    • 2025: CLI and Construct Library split into independent release cadences
    • 2025: cdk refactor command (preview) for safe infrastructure reorganization
  • AWS SAM (Serverless Application Model) — extension of CloudFormation for serverless applications

Query APIs

  • Query APIs provide HTTP or HTTPS requests that use the HTTP verb GET or POST and a Query parameter named “Action”
  • Require Access Key & Secret Key credentials for authentication
  • Query APIs form the core of all access tools and require you to calculate signatures (Signature Version 4) and attach them to the request
  • All other tools (Console, CLI, SDKs) use Query APIs or REST APIs under the hood

AWS Tools for PowerShell

  • AWS Tools for PowerShell enables managing AWS services from the PowerShell command line
  • Built on the AWS SDK for .NET, exposing AWS services as PowerShell cmdlets
  • Available as AWS.Tools (modular), AWSPowerShell.NetCore, and AWSPowerShell packages
  • Supports IAM Identity Center (SSO) authentication
  • Available on Windows PowerShell 5.1+ and PowerShell 7+ (cross-platform)

Amazon Q Developer

  • Amazon Q Developer is an AI-powered assistant integrated across AWS tools:
    • In Console — provides resource analysis, operational troubleshooting, and best practices guidance
    • In CLI — agentic coding experience for reading/writing files, querying resources, and debugging
    • In IDEs — code generation, reviews, documentation, and unit test generation
    • Console-to-Code — records console actions and generates equivalent IaC code
  • Supports Model Context Protocol (MCP) for integration with external AI tools
  • Available in AWS CloudShell and SageMaker Unified Studio

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. REST or Query requests are HTTP or HTTPS requests that use an HTTP verb (such as GET or POST) and a parameter named Action or Operation that specifies the API you are calling.
    1. FALSE
    2. TRUE (Refer link)
  2. Through which of the following interfaces is AWS Identity and Access Management available?
    A) AWS Management Console
    B) Command line interface (CLI)
    C) IAM Query API
    D) Existing libraries

    1. Only through Command line interface (CLI)
    2. A, B and C
    3. A and C
    4. All of the above
  3. Which of the following programming languages have an officially supported AWS SDK? Choose 2 answers
    1. PHP
    2. Pascal
    3. Java
    4. SQL
    5. Perl
  4. HTTP Query-based requests are HTTP requests that use the HTTP verb GET or POST and a Query parameter named_____________.
    1. Action
    2. Value
    3. Reset
    4. Retrieve
  5. Which AWS service provides a browser-based shell environment that is pre-authenticated with your console credentials?
    1. AWS Cloud9
    2. AWS CloudShell
    3. Amazon EC2 Instance Connect
    4. AWS Systems Manager Session Manager
  6. A company wants to convert console actions into reusable infrastructure-as-code. Which AWS feature should they use?
    1. AWS CloudTrail
    2. AWS Config
    3. AWS Console-to-Code (Amazon Q Developer)
    4. AWS CloudFormation Designer
  7. Which of the following are valid AWS SDK languages as of 2025? (Choose 3)
    1. Rust
    2. Perl
    3. Kotlin
    4. COBOL
    5. Swift
  8. A developer needs to interact with AWS services from the command line using single sign-on credentials. Which approach is recommended?
    1. Store long-term access keys in ~/.aws/credentials
    2. Configure AWS CLI v2 with IAM Identity Center (SSO) authentication
    3. Use AWS CLI v1 with environment variables
    4. Embed credentials in application code

AWS DDoS Resiliency Best Practices Overview

AWS DDoS Resiliency – Best Practices

📋 Whitepaper Update Notice

The original AWS DDoS Best Practices whitepaper (June 2015) has been updated multiple times, with the latest revision dated August 9, 2023. AWS now marks it as “historical reference.” The current AWS DDoS protection guidance is integrated into the AWS WAF, Shield, and Firewall Manager Developer Guide.

This post has been updated to reflect the modern AWS DDoS protection services including AWS Shield, AWS WAF v2, AWS Firewall Manager, and the new Anti-DDoS Managed Rule Group (2026).

  • Denial of Service (DoS) is an attack, carried out by a single attacker, which attempts to make a website or application unavailable to the end users.
  • Distributed Denial of Service (DDoS) is an attack, carried out by multiple attackers either controlled or compromised by a group of collaborators, which generates a flood of requests to the application making it unavailable to the legitimate end users.
  • DDoS attacks can be segregated by which layer of the OSI model they attack:
    • Infrastructure layer attacks (Layer 3 and 4) — SYN/UDP floods, reflection attacks, amplification attacks
    • Application layer attacks (Layer 6 and 7) — HTTP/S floods, DNS query floods, SSL/TLS abuse

AWS DDoS Protection Services

  • AWS Shield Standard — Free, automatic protection for all AWS customers against common infrastructure DDoS attacks (Layer 3/4)
  • AWS Shield Advanced — Paid managed DDoS protection with enhanced detection, always-on automatic mitigation, 24/7 access to Shield Response Team (SRT), cost protection, and application layer protections
  • AWS WAF — Web application firewall for application layer (Layer 7) protection with managed rule groups, rate-based rules, and bot control
  • AWS Firewall Manager — Centralized security policy management across multiple accounts and resources in AWS Organizations
  • AWS Shield Network Security Director (Preview, 2025) — Analyzes network resources, identifies configuration issues, and provides remediation recommendations for comprehensive DDoS posture

Mitigation Techniques

Minimize the Attack Surface Area

  • Reduce the attack surface by minimizing the different Internet entry points that allow access to your application
  • Strategy to minimize the Attack surface area:
    • Reduce the number of necessary Internet entry points
    • Don’t expose back-end servers
    • Eliminate non-critical Internet entry points
    • Separate end user traffic from management traffic
    • Obfuscate necessary Internet entry points to the level that untrusted end users cannot access them
    • Decouple Internet entry points to minimize the effects of attacks
  • Benefits:
    • Minimizes the effective attack vectors and targets
    • Less to monitor and protect
  • Strategy can be achieved using AWS Virtual Private Cloud (VPC):
    • Defines a logically isolated virtual network within AWS
    • Provides ability to create Public & Private Subnets to launch internet-facing and non-public-facing instances accordingly
    • Provides NAT gateway allowing instances in private subnets to have internet access without Public IPs
    • Allows creation of Bastion hosts (or use AWS Systems Manager Session Manager) for connecting to instances in private subnets
    • Provides security groups for instances and NACLs for subnets to control and limit outbound and inbound traffic
    • Supports VPC endpoints (Gateway and Interface) to access AWS services privately without traversing the internet

VPC Architecture

Be Ready to Scale to Absorb the Attack

  • DDoS attacks mainly aim to overload systems beyond their capacity, rendering them unusable
  • Scaling out Benefits:
    • Helps build a resilient architecture
    • Makes the attacker work harder
    • Gives you time to think, analyze, and adapt
  • AWS services for scaling:
    • Auto Scaling & Elastic Load Balancing
      • Horizontal scaling using Auto Scaling with ELB (ALB, NLB, or CLB)
      • Auto Scaling allows instances to be added and removed as demand changes
      • ELB distributes traffic across multiple EC2 instances while acting as a single point of contact
      • Auto Scaling automatically registers and deregisters EC2 instances with the ELB during scale-out and scale-in events
      • Application Load Balancer (ALB) integrates natively with AWS WAF for Layer 7 protection
      • Network Load Balancer (NLB) handles millions of requests per second with ultra-low latency for Layer 4 traffic
    • EC2 Instance
      • Vertical scaling can be achieved by using appropriate EC2 instance types (e.g., EBS-optimized or ones with 25/100 Gbps network connectivity) to handle the load
    • Enhanced Networking
      • Use instances with Enhanced Networking capabilities (ENA) for high packet-per-second performance, low latency networking, and improved scalability
    • Amazon CloudFront
      • CloudFront is a CDN that acts as a proxy between end users and Origin servers, distributing content without sending all traffic to the Origin
      • Has inherent ability to mitigate both infrastructure and application layer DDoS attacks by dispersing traffic across multiple edge locations globally
      • AWS has multiple Internet connections for capacity and redundancy at each location, allowing isolation of attack traffic while serving legitimate end users
      • CloudFront filters to ensure only valid TCP connections and HTTP requests are processed, dropping invalid requests (commonly used in UDP & SYN floods, and slow reads)
      • CloudFront Security Dashboard (2023) provides unified CDN and security experience with one-click AWS WAF protection and built-in security monitoring
      • Integrates natively with AWS WAF and AWS Shield Advanced
    • Amazon Route 53
      • DDoS attacks also target DNS — if DNS is unavailable, the application is effectively unavailable
      • AWS Route 53 is a highly available and scalable DNS service with capabilities to withstand DDoS attacks:
        • Shuffle Sharding — spreads DNS requests over numerous PoPs using independent sets of edge locations, providing multiple paths to your application
        • Anycast Routing — advertises the same IP address from multiple PoPs, increasing redundancy; if one endpoint is overwhelmed, traffic routes to others
    • AWS Global Accelerator
      • Uses static anycast IP addresses as entry points to the AWS global network
      • Integrates with AWS Shield for DDoS mitigation at the edge, including a stateless SYN proxy that challenges new connections and only serves legitimate end users
      • Routes traffic over the AWS backbone network, away from the congested public internet
      • Provides fault isolation and deterministic routing for improved DDoS resiliency

Safeguard Exposed & Hard-to-Scale Resources

  • If entry points cannot be limited, additional measures to restrict access and protect those entry points without interrupting legitimate end user traffic
  • AWS services for protection:
    • CloudFront
      • Restrict access using Geo Restriction and Origin Access Control (OAC)
      • With Geo Restriction, access can be restricted to whitelisted countries or blocked from blacklisted countries
      • Origin Access Control (OAC) replaces the legacy Origin Access Identity (OAI) — allows access to S3 origins only through CloudFront while denying direct access. OAC supports SSE-KMS, dynamic requests, and all S3 regions.
    • Route 53
      • Alias Record sets and Private DNS make it easier to scale infrastructure and respond to DDoS attacks
      • Route 53 health checks enable automatic failover to healthy resources
    • AWS WAF (Web Application Firewall)
      • AWS WAF is a fully managed service (not EC2-based) that filters web traffic using customizable rules
      • Integrates directly with CloudFront, ALB, API Gateway, AppSync, App Runner, Cognito, and Verified Access
      • Key capabilities:
        • Rate-based rules — automatically blocks IPs exceeding request thresholds
        • Managed Rule Groups — pre-built rules for OWASP Top 10, known bad inputs, SQL injection, XSS
        • Bot Control — managed bot detection and mitigation covering 650+ unique bots and AI agents
        • Fraud Control — Account Takeover Prevention (ATP) and Account Creation Fraud Prevention (ACFP)
        • Anti-DDoS Managed Rule Group (AWSManagedRulesAntiDDoSRuleSet) — launched March 2026 as the default L7 DDoS protection; establishes traffic baselines, detects anomalies within seconds, and mitigates HTTP floods automatically
        • AI Bot Management — AI Activity Dashboard (Feb 2026) for visibility into AI scrapers, tools, and agents; supports AI traffic monetization
        • Geo-match conditions, IP set rules, regex pattern sets
        • Custom response bodies and headers
      • No longer requires the “WAF sandwich” pattern — AWS WAF is now a native, managed Layer 7 service that does not require separate EC2 instances
    • AWS Shield Advanced
      • Provides managed DDoS protection for CloudFront, Route 53, Global Accelerator, ELB, and EC2 Elastic IPs
      • Key features:
        • Always-on detection and automatic mitigation with sub-second time-to-mitigate
        • Application layer automatic mitigation — automatically deploys WAF rules during attacks
        • Shield Response Team (SRT) — 24/7 expert support during active DDoS events
        • Cost protection — credits for scaling charges incurred during DDoS attacks
        • DDoS visibility — real-time metrics, attack notifications, and forensic reports
        • Health-based detection — uses Route 53 health checks to improve detection accuracy and reduce false positives
        • Network Security Director (Preview, June 2025) — discovers resources, visualizes network topology, identifies security misconfigurations, and provides remediation recommendations using Amazon Q Developer
    • AWS Firewall Manager
      • Centrally configure and manage AWS WAF rules, Shield Advanced protections, security groups, Network Firewall, and DNS Firewall policies across all accounts in AWS Organizations
      • Automatically applies security policies to new resources as they are created
      • Provides compliance monitoring and reporting

DDOS Resiliency - WAF Sandwich Architecture (Legacy Pattern)

Note: The WAF Sandwich pattern shown above is a legacy architecture. AWS WAF is now a fully managed service that integrates natively with ALB, CloudFront, API Gateway, and other services — no separate EC2-based WAF instances are needed.

Learn Normal Behavior

  • Understand the normal levels and patterns of traffic for your application and use that as a benchmark for identifying abnormal traffic or resource spikes
  • Benefits:
    • Allows one to spot abnormalities
    • Configure alarms with accurate thresholds
    • Assists with generating forensic data
  • AWS services for tracking and detection:
    • Amazon CloudWatch
      • Monitor infrastructure and applications running on AWS
      • Collect metrics, log files, and set alarms for when metrics pass predetermined thresholds
      • Shield Advanced publishes DDoS metrics: DDoSDetected, DDoSAttackBitsPerSecond, DDoSAttackPacketsPerSecond, DDoSAttackRequestsPerSecond
    • VPC Flow Logs
      • Capture traffic to instances in a VPC to understand traffic patterns and detect anomalies
      • Can be published to CloudWatch Logs or S3 for analysis
    • AWS WAF Logging & Metrics
      • Full logging of all evaluated requests to S3, CloudWatch Logs, or Kinesis Data Firehose
      • Real-time metrics in CloudWatch for blocked/allowed/counted requests
      • Traffic Overview Dashboard (2025) — near-real-time summaries including total requests, blocked requests, bot categories, CAPTCHA solve rates, and top matched rules
    • AWS CloudTrail
      • Logs API calls for auditing configuration changes to WAF, Shield, and security groups

Create a Plan for Attacks

  • Have a plan in place before an attack, which ensures that:
    • Architecture has been validated and techniques selected work for the infrastructure
    • Costs for increased resiliency have been evaluated and the goals of your defense are understood
    • Contact points have been identified
    • Runbooks exist for DDoS incident response
  • AWS Shield Advanced SRT engagement — proactive or reactive engagement with DDoS experts
  • AWS Support — Business or Enterprise Support plans provide access to 24/7 support during attacks

DDoS-Resilient Reference Architecture

AWS recommends using the following services at the edge for maximum DDoS resiliency:

  • Edge Layer: Amazon CloudFront + AWS WAF + AWS Shield (Standard/Advanced) + Amazon Route 53
  • Network Layer: AWS Global Accelerator + Elastic Load Balancing (ALB/NLB) + VPC with NACLs and Security Groups
  • Application Layer: Auto Scaling groups + EC2 instances in multiple AZs
  • Management Layer: AWS Firewall Manager for centralized policy management across accounts

Key principle: Push traffic as far from the origin as possible using CloudFront, Global Accelerator, and Route 53 to leverage AWS’s globally distributed DDoS mitigation capacity (terabits scale).

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. You are designing a social media site and are considering how to mitigate distributed denial-of-service (DDoS) attacks. Which of the below are viable mitigation techniques? (Choose 3 answers)
    1. Add multiple elastic network interfaces (ENIs) to each EC2 instance to increase the network bandwidth.
    2. Use dedicated instances to ensure that each instance has the maximum performance possible.
    3. Use an Amazon CloudFront distribution for both static and dynamic content.
    4. Use an Elastic Load Balancer with auto scaling groups at the web app and Amazon Relational Database Service (RDS) tiers
    5. Add alert Amazon CloudWatch to look for high Network in and CPU utilization.
    6. Create processes and capabilities to quickly add and remove rules to the instance OS firewall.
  2. You’ve been hired to enhance the overall security posture for a very large e-commerce site. They have a well architected multi-tier application running in a VPC that uses ELBs in front of both the web and the app tier with static assets served directly from S3. They are using a combination of RDS and DynamoDB for their dynamic data and then archiving nightly into S3 for further processing with EMR. They are concerned because they found questionable log entries and suspect someone is attempting to gain unauthorized access. Which approach provides a cost effective scalable mitigation to this kind of attack?
    1. Recommend that they lease space at a DirectConnect partner location and establish a 1G DirectConnect connection to their VPC they would then establish Internet connectivity into their space, filter the traffic in hardware Web Application Firewall (WAF). And then pass the traffic through the DirectConnect connection into their application running in their VPC. (Not cost effective)
    2. Add previously identified hostile source IPs as an explicit INBOUND DENY NACL to the web tier subnet. (does not protect against new source)
    3. Add a WAF tier by creating a new ELB and an AutoScaling group of EC2 Instances running a host-based WAF. They would redirect Route 53 to resolve to the new WAF tier ELB. The WAF tier would then pass the traffic to the current web tier. The web tier Security Groups would be updated to only allow traffic from the WAF tier Security Group (Note: This describes the legacy “WAF sandwich” pattern. In modern AWS, you would simply enable AWS WAF on the existing ALB — no separate EC2 WAF tier is needed.)
    4. Remove all but TLS 1.2 from the web tier ELB and enable Advanced Protocol Filtering This will enable the ELB itself to perform WAF functionality. (No advanced protocol filtering in ELB)
  3. A company wants to protect its web application from Layer 7 DDoS attacks and common web exploits. The application uses Amazon CloudFront with an Application Load Balancer origin. Which combination of AWS services provides the MOST effective protection? (Choose 2 answers)
    1. Enable AWS Shield Advanced on the CloudFront distribution and ALB with automatic application layer DDoS mitigation
    2. Deploy AWS Network Firewall in front of the ALB
    3. Associate an AWS WAF web ACL with rate-based rules and the Anti-DDoS Managed Rule Group on the CloudFront distribution
    4. Use Security Groups on the ALB to block malicious IPs
    5. Enable VPC Flow Logs and manually block attacking IPs
  4. A security team needs to protect multiple AWS accounts’ web applications from DDoS attacks with consistent security policies. Which approach provides centralized management with automatic enforcement?
    1. Manually configure AWS WAF rules on each account’s resources
    2. Use AWS Firewall Manager to define WAF and Shield Advanced policies across the AWS Organization
    3. Deploy third-party WAF appliances in each VPC
    4. Use AWS Config rules to audit WAF configurations
  5. Which AWS service provides automatic, always-on protection against common DDoS attacks at no additional cost for ALL AWS customers?
    1. AWS WAF
    2. AWS Shield Standard
    3. AWS Shield Advanced
    4. AWS Firewall Manager
  6. A company is experiencing an active DDoS attack on their application behind CloudFront. They have AWS Shield Advanced enabled. Which features are available to help mitigate the attack? (Choose 3 answers)
    1. 24/7 access to the AWS Shield Response Team (SRT)
    2. Automatic VPC security group rule updates
    3. Automatic application layer mitigation through managed WAF rules
    4. Cost protection credits for scaling charges incurred during the attack
    5. Automatic CloudFront distribution disablement

References

 

AWS ELB Monitoring

AWS ELB Monitoring

  • Elastic Load Balancing publishes data points to Amazon CloudWatch about the load balancers and targets (or back-end instances for Classic Load Balancer).
  • Elastic Load Balancing reports metrics to CloudWatch only when requests are flowing through the load balancer.
    • If there are requests flowing through the load balancer, Elastic Load Balancing measures and sends its metrics in 60-second intervals.
    • If there are no requests flowing through the load balancer or no data for a metric, the metric is not reported.
  • AWS provides four types of load balancers, each with its own monitoring capabilities:
    • Application Load Balancer (ALB) – Layer 7, HTTP/HTTPS/gRPC
    • Network Load Balancer (NLB) – Layer 4, TCP/UDP/TLS
    • Gateway Load Balancer (GWLB) – Layer 3, transparent network gateway
    • Classic Load Balancer (CLB) – Previous generation (Layer 4/7)
  • ELB monitoring options include CloudWatch metrics, access logs, connection logs, health check logs, CloudTrail logs, and CloudWatch Internet Monitor.

CloudWatch Metrics

Classic Load Balancer (CLB) Metrics

  • CLB metrics use the AWS/ELB namespace.
  • HealthyHostCount, UnHealthyHostCount
    • Number of healthy and unhealthy instances registered with the load balancer.
    • Most useful statistics are Average, Min, and Max.
  • RequestCount
    • Number of requests completed or connections made during the specified interval (1 or 5 minutes).
    • Most useful statistic is Sum.
  • Latency
    • Time elapsed, in seconds, after the request leaves the load balancer until the headers of the response are received.
    • Most useful statistic is Average.
  • SurgeQueueLength
    • Total number of requests that are pending routing.
    • Load balancer queues a request if it is unable to establish a connection with a healthy instance in order to route the request.
    • Maximum size of the queue is 1,024. Additional requests are rejected when the queue is full.
    • Most useful statistic is Max, because it represents the peak of queued requests.
  • SpilloverCount
    • The total number of requests that were rejected because the surge queue is full. Should ideally be 0.
    • Most useful statistic is Sum.
  • HTTPCode_ELB_4XX, HTTPCode_ELB_5XX
    • Client and server error codes generated by the load balancer.
    • Most useful statistic is Sum.
  • HTTPCode_Backend_2XX, HTTPCode_Backend_3XX, HTTPCode_Backend_4XX, HTTPCode_Backend_5XX
    • Number of HTTP response codes generated by registered instances.
    • Most useful statistic is Sum.

Application Load Balancer (ALB) Metrics

  • ALB metrics use the AWS/ApplicationELB namespace.
  • ActiveConnectionCount – Total concurrent TCP connections active from clients to the load balancer and from the load balancer to targets. Useful statistic: Sum.
  • NewConnectionCount – Total new TCP connections established from clients to the load balancer and from the load balancer to targets. Useful statistic: Sum.
  • RejectedConnectionCount – Number of connections rejected because the load balancer reached its maximum number of connections. Useful statistic: Sum.
  • RequestCount – Number of requests processed over IPv4 and IPv6. Useful statistic: Sum.
  • TargetResponseTime – Time elapsed after the request leaves the load balancer until the target starts to send response headers. Useful statistics: Average, pNN.NN (percentiles).
  • HealthyHostCount, UnHealthyHostCount – Number of healthy/unhealthy targets. Useful statistics: Average, Min, Max.
  • HTTPCode_Target_2XX_Count through 5XX_Count – HTTP response codes generated by targets. Useful statistic: Sum.
  • HTTPCode_ELB_4XX_Count, HTTPCode_ELB_5XX_Count – HTTP error codes generated by the load balancer itself. Useful statistic: Sum.
  • ClientTLSNegotiationErrorCount – TLS connections initiated by clients that did not establish a session with the load balancer. Useful statistic: Sum.
  • TargetConnectionErrorCount – Connections that were not successfully established between the load balancer and target. Useful statistic: Sum.
  • ProcessedBytes – Total bytes processed by the load balancer over IPv4 and IPv6. Useful statistic: Sum.
  • ConsumedLCUs – Number of Load Balancer Capacity Units (LCU) consumed. Used for billing calculations.
  • RuleEvaluations – Number of rules evaluated while processing requests.
  • AnomalousHostCount – Number of targets detected with anomalies (used with Automatic Target Weights). Useful statistics: Min, Max.

Network Load Balancer (NLB) Metrics

  • NLB metrics use the AWS/NetworkELB namespace.
  • ActiveFlowCount – Total number of concurrent flows (connections) from clients to targets. Useful statistic: Average.
  • NewFlowCount – Total number of new flows established from clients to targets. Useful statistic: Sum.
  • ProcessedBytes – Total bytes processed by the load balancer (TCP/TLS, UDP). Useful statistic: Sum.
  • TCP_Client_Reset_Count, TCP_Target_Reset_Count, TCP_ELB_Reset_Count – Number of reset (RST) packets sent from client, target, or the load balancer.
  • HealthyHostCount, UnHealthyHostCount – Number of healthy/unhealthy targets.
  • ConsumedLCUs – Number of Network Load Balancer Capacity Units consumed.
  • PeakBytesPerSecond – Highest average bytes per second for the load balancer during a period.

Gateway Load Balancer (GWLB) Metrics

  • GWLB metrics use the AWS/GatewayELB namespace.
  • ActiveFlowCount, NewFlowCount – Concurrent and new flows from clients to targets.
  • ProcessedBytes – Total bytes processed by the GWLB.
  • HealthyHostCount, UnHealthyHostCount – Number of healthy/unhealthy targets.
  • GWLB does NOT generate access logs since it is a transparent Layer 3 load balancer that does not terminate flows.

Elastic Load Balancer Access Logs

  • Elastic Load Balancing provides access logs that capture detailed information about all requests sent to the load balancer.
  • Each log contains information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses.
  • Access logging is disabled by default and can be enabled without any additional charge. You are only charged for S3 storage.
  • Access logs are supported for ALB, NLB, and CLB. GWLB does not generate access logs.

ALB Access Logs

  • ALB publishes a log file for each load balancer node every 5 minutes to Amazon S3.
  • Log entries include: request type, timestamp, ELB name, client:port, target:port, request processing time, target processing time, response processing time, ELB/target status codes, received/sent bytes, request details, user agent, SSL cipher/protocol, target group ARN, trace ID, and more.

NLB Access Logs

  • NLB access logs capture information about TLS requests sent to the load balancer.
  • Logs can be stored in Amazon S3.
  • New (Nov 2025): NLB access logs now support delivery as CloudWatch Vended Logs, enabling direct delivery to CloudWatch Logs, Amazon Data Firehose, and Amazon S3 with Apache Parquet format support. This allows real-time log analysis using CloudWatch Logs Insights and Live Tail.

ALB Connection Logs

  • Connection logs capture detailed information about TLS connections established between clients and the ALB.
  • Useful for troubleshooting TLS client connection issues (e.g., mTLS failures, cipher mismatches).
  • Connection logs are stored in Amazon S3, with a log file published every 5 minutes.
  • This is an optional feature, disabled by default.
  • Log entries include: timestamp, client IP:port, listener port, TLS protocol/cipher, connection status, client certificate details (for mTLS), and more.

ALB Health Check Logs

  • New (Nov 2025): ALB now supports Health Check Logs that send detailed target health check data directly to a designated Amazon S3 bucket.
  • This optional feature captures:
    • Health check status (healthy/unhealthy)
    • Timestamps
    • Target identification data
    • Failure reasons for unhealthy targets
  • Health check logs are published every 5 minutes per load balancer node.
  • Helps troubleshoot intermittent target health check failures without needing to rely solely on CloudWatch metrics.
  • No additional charge; you pay only for S3 storage.

CloudWatch Internet Monitor

  • Amazon CloudWatch Internet Monitor provides internet performance and availability measurements for user traffic to load balancers.
  • Monitors internet traffic patterns and identifies issues that affect internet connectivity between users and AWS.
  • Supported for both ALB and NLB.
  • NLB integration (Sep 2024): You can create or associate a monitor for an NLB directly when creating it in the AWS Management Console.
  • Provides city-level visibility into performance impairments and their geographic scope.

CloudWatch Network Flow Monitor

  • New (Dec 2024, re:Invent): CloudWatch Network Flow Monitor offers network performance monitoring across AWS managed services.
  • Provides near real-time visibility into network performance for traffic between compute resources (EC2, EKS), to AWS services (S3, DynamoDB), and to other AWS Regions.
  • Uses lightweight agents to gather TCP connection performance statistics (packet loss, latency).
  • Can determine if AWS is the cause of a detected network issue for monitored flows.

ALB Automatic Target Weights (ATW)

  • New (Nov 2023): ALB supports Automatic Target Weights (ATW), which uses anomaly detection to optimize traffic routing.
  • ATW detects and mitigates gray failures — situations where a target passes health checks but still returns elevated errors.
  • Anomaly detection is automatically enabled on HTTP/HTTPS target groups with at least three healthy targets.
  • ATW analyzes HTTP return status codes and TCP/TLS errors to identify anomalous targets and reduces traffic to them.
  • Provides the AnomalousHostCount CloudWatch metric to monitor detected anomalies.

CloudWatch Anomaly Detection Alarms

  • CloudWatch anomaly detection uses machine learning to model expected metric behavior and automatically creates upper and lower bounds.
  • Can be used with ELB metrics like TargetResponseTime, RequestCount, HTTPCode_ELB_5XX to detect unusual patterns.
  • Recommended approach for monitoring ELB performance without manually setting static thresholds.
  • Works with ALB, NLB, CLB, and GWLB metrics.

CloudTrail Logs

  • AWS CloudTrail captures all API calls to the Elastic Load Balancing API made by or on behalf of your AWS account.
  • API calls can be made directly, or indirectly through the AWS Management Console, AWS CLI, or SDKs.
  • CloudTrail stores the information as log files in an Amazon S3 bucket.
  • Logs can be used to monitor load balancer activity and determine what API call was made, what source IP address was used, who made the call, when it was made, and so on.
  • Applies to all ELB types (ALB, NLB, GWLB, CLB).

Classic Load Balancer – Migration Recommendation

⚠️ Note: Classic Load Balancer is the previous generation load balancer. AWS strongly recommends migrating to Application Load Balancer (Layer 7) or Network Load Balancer (Layer 4).

EC2-Classic networking was fully retired in August 2023. While CLB continues to function in VPC, no new features are being added to it. Use the AWS Migration Wizard to move to ALB or NLB.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. An admin is planning to monitor the ELB. Which of the below mentioned services does not help the admin capture the monitoring information about the ELB activity?
    1. ELB Access logs
    2. ELB health check
    3. CloudWatch metrics
    4. ELB API calls with CloudTrail
  2. A customer needs to capture all client connection information from their load balancer every five minutes. The company wants to use this data for analyzing traffic patterns and troubleshooting their applications. Which of the following options meets the customer requirements?
    1. Enable AWS CloudTrail for the load balancer.
    2. Enable access logs on the load balancer.
    3. Install the Amazon CloudWatch Logs agent on the load balancer.
    4. Enable Amazon CloudWatch metrics on the load balancer.
  3. Your supervisor has requested a way to analyze traffic patterns for your application. You need to capture all connection information from your load balancer every 10 minutes. Pick a solution from below. Choose the correct answer:
    1. Enable access logs on the load balancer.
    2. Create a custom metric CloudWatch filter on your load balancer.
    3. Use a CloudWatch Logs Agent.
    4. Use AWS CloudTrail with your load balancer.
  4. A company runs a web application behind an Application Load Balancer. Some users are experiencing intermittent 5XX errors but health checks show all targets as healthy. Which ALB feature can automatically detect and mitigate this issue?
    1. Cross-Zone Load Balancing
    2. Automatic Target Weights (ATW)
    3. Connection Draining
    4. Sticky Sessions
  5. A DevOps engineer needs to troubleshoot why targets behind an ALB are intermittently failing health checks. Which recently introduced feature provides detailed health check failure reasons stored in S3?
    1. ALB Access Logs
    2. CloudWatch HealthyHostCount metric
    3. ALB Health Check Logs
    4. AWS CloudTrail
  6. A solutions architect wants to analyze NLB access logs in near real-time using CloudWatch Logs Insights. Which delivery option should they configure?
    1. Enable NLB access logs to S3 and create Athena queries
    2. Configure NLB access logs as CloudWatch Vended Logs
    3. Enable VPC Flow Logs on the NLB
    4. Install CloudWatch Agent on NLB nodes
  7. Which of the following is a metric specific to Classic Load Balancer that indicates the load balancer cannot route requests because the queue is full?
    1. RejectedConnectionCount
    2. TargetConnectionErrorCount
    3. SpilloverCount
    4. HTTPCode_ELB_503
  8. A company wants to identify if AWS infrastructure is causing latency issues for users connecting to their Network Load Balancer from different geographic locations. Which service should they use?
    1. AWS X-Ray
    2. CloudWatch Metrics
    3. Amazon CloudWatch Internet Monitor
    4. VPC Flow Logs

References

AWS Bastion Host – Secure SSH/RDP Access

Bastion Host Overview

📌 2025 Update: Modern Alternatives to Bastion Hosts

While bastion hosts remain a valid architecture pattern, AWS now offers several modern alternatives that eliminate the need for managing a dedicated jump server:

The AWS Quick Start for Linux Bastion was archived in October 2024 as part of the full AWS Quick Start program retirement.

  • Bastion means a structure for Fortification to protect things behind it
  • In AWS, a Bastion host (also referred to as a Jump server) can be used to securely access instances in the private subnets.
  • Bastion host launched in the Public subnets would act as a primary access point from the Internet and acts as a proxy to other instances.

Bastion Host

Key points

  • Bastion host is deployed in the Public subnet and acts as a proxy or a gateway between you and your instances
  • Bastion host is a security measure that helps to reduce attack on your infrastructure and you have to concentrate to hardening a single layer
  • Bastion host allows you to login to instances in the Private subnet securely without having to store the private keys on the Bastion host (using ssh-agent forwarding or RDP gateways)
  • Bastion host security can be further tightened to allow SSH/RDP access from specific trusted IPs or corporate IP ranges
  • Bastion host for your AWS infrastructure shouldn’t be used for any other purpose, as that could open unnecessary security holes
  • Security for all the Instances in the private subnet should be hardened to accept SSH/RDP connections only from the Bastion host
  • Deploy a Bastion host within each Availability Zone for HA, cause if the Bastion instance or the AZ hosting the Bastion server goes down the ability to connect to your private instances is lost completely

Modern Alternatives to Bastion Hosts

EC2 Instance Connect Endpoint (EIC Endpoint)

  • Launched in June 2023, EC2 Instance Connect Endpoint allows secure connectivity to instances in private subnets from the internet without requiring a bastion host
  • No IGW in the VPC, no public IP on the instance, and no agent installation required
  • Supports SSH and RDP connections using private IP addresses
  • Access is controlled through IAM policies and security groups
  • Available at no additional cost
  • One EIC Endpoint per VPC; supported in all AWS Regions except Canada West (Calgary)
  • Ideal for ad-hoc access to private instances without maintaining bastion infrastructure

AWS Systems Manager Session Manager

  • Provides secure, auditable instance management without opening inbound ports (no port 22/3389 needed)
  • No SSH keys to manage – access is controlled entirely through IAM policies
  • Requires SSM Agent installed on the instance (pre-installed on Amazon Linux 2, Amazon Linux 2023, and many other AMIs)
  • Provides full audit trail in AWS CloudTrail and session logging to S3/CloudWatch
  • Supports port forwarding for accessing applications on private instances
  • Works with instances in private subnets without internet access (via VPC endpoints)
  • Recommended by AWS as a bastion host replacement for operational access

AWS Verified Access

  • Provides secure, VPN-less access based on Zero Trust principles
  • Originally supported only HTTP/HTTPS applications (GA April 2023)
  • Non-HTTP protocol support (SSH, RDP, TCP) went GA in February 2025
  • Evaluates access based on user identity and device security posture on every request
  • Uses Cedar policy language for fine-grained access control
  • Integrates with identity providers (IdPs) and device trust providers (Jamf, CrowdStrike, etc.)
  • Achieved FedRAMP High and Moderate authorization (March 2025)
  • Ideal for enterprise environments requiring identity-aware, device-trust-based access

When to Still Use a Bastion Host

  • Legacy environments where SSM Agent cannot be installed
  • Compliance requirements mandating a traditional network perimeter
  • Environments needing specific protocol support not covered by alternatives
  • Third-party access where IAM-based solutions are not feasible
  • AWS certification exams still heavily test bastion host concepts

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. A customer is running a multi-tier web application farm in a virtual private cloud (VPC) that is not connected to their corporate network. They are connecting to the VPC over the Internet to manage all of their Amazon EC2 instances running in both the public and private subnets. They have only authorized the bastion-security-group with Microsoft Remote Desktop Protocol (RDP) access to the application instance security groups, but the company wants to further limit administrative access to all of the instances in the VPC. Which of the following Bastion deployment scenarios will meet this requirement?
    1. Deploy a Windows Bastion host on the corporate network that has RDP access to all instances in the VPC.
    2. Deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow SSH access to the bastion from anywhere.
    3. Deploy a Windows Bastion host with an Elastic IP address in the private subnet, and restrict RDP access to the bastion from only the corporate public IP addresses.
    4. Deploy a Windows Bastion host with an auto-assigned Public IP address in the public subnet, and allow RDP access to the bastion from only the corporate public IP addresses.
  2. You are designing a system that has a Bastion host. This component needs to be highly available without human intervention. Which of the following approaches would you select?
    1. Run the bastion on two instances one in each AZ
    2. Run the bastion on an active Instance in one AZ and have an AMI ready to boot up in the event of failure
    3. Configure the bastion instance in an Auto Scaling group Specify the Auto Scaling group to include multiple AZs but have a min-size of 1 and max-size of 1
    4. Configure an ELB in front of the bastion instance
  3. You’ve been brought in as solutions architect to assist an enterprise customer with their migration of an ecommerce platform to Amazon Virtual Private Cloud (VPC) The previous architect has already deployed a 3- tier VPC. The configuration is as follows: VPC vpc-2f8t>C447
    IGW ig-2d8bc445
    NACL acl-2080c448
    Subnets and Route Tables:
    Web server’s subnet-258bc44d
    Application server’s subnet-248DC44c
    Database server’s subnet-9189c6f9
    Route Tables:
    rtb-2i8bc449
    rtb-238bc44b
    Associations:
    Subnet-258bc44d: rtb-2i8bc449
    Subnet-248DC44c: rtb-238bc44b
    Subnet-9189c6f9: rtb-238bc44b
    You are now ready to begin deploying EC2 instances into the VPC. Web servers must have direct access to the internet Application and database servers cannot have direct access to the internet. Which configuration below will allow you the ability to remotely administer your application and database servers, as well as allow these servers to retrieve updates from the Internet?

    1. Create a bastion and NAT Instance in subnet-258bc44d and add a route from rtb-238bc44b to subnet-258bc44d. (Route should point to the NAT)
    2. Add a route from rtb-238bc44b to igw-2d8bc445 and add a bastion and NAT instance within Subnet-248DC44c. (Adding IGW to routertb-238bc44b would expose the Application and Database server to internet. Bastion and NAT should be in public subnet)
    3. Create a Bastion and NAT Instance in subnet-258bc44d. Add a route from rtb-238bc44b to igw-2d8bc445. And a new NACL that allows access between subnet-258bc44d and subnet-248bc44c. (Route should point to NAT and not Internet Gateway else it would be internet accessible.)
    4. Create a Bastion and NAT instance in subnet-258bc44d and add a route from rtb-238bc44b to the NAT instance. (Bastion and NAT should be in the public subnet. As Web Server has direct access to Internet, the subnet subnet-258bc44d should be public and Route rtb-2i8bc449 pointing to IGW. Route rtb-238bc44b for private subnets should point to NAT for outgoing internet access)
  4. You are tasked with setting up a Linux bastion host for access to Amazon EC2 instances running in your VPC. Only clients connecting from the corporate external public IP address 72.34.51.100 should have SSH access to the host. Which option will meet the customer requirement?
    1. Security Group Inbound Rule: Protocol – TCP. Port Range – 22, Source 72.34.51.100/32
    2. Security Group Inbound Rule: Protocol – UDP, Port Range – 22, Source 72.34.51.100/32
    3. Network ACL Inbound Rule: Protocol – UDP, Port Range – 22, Source 72.34.51.100/32
    4. Network ACL Inbound Rule: Protocol – TCP, Port Range-22, Source 72.34.51.100/0
  5. A company needs to provide secure access to EC2 instances in private subnets without managing SSH keys or opening inbound ports. The solution must provide an audit trail of all sessions. Which AWS service should they use?
    1. Deploy a bastion host in a public subnet with an Auto Scaling group
    2. Use AWS Systems Manager Session Manager with IAM-based access control
    3. Use EC2 Instance Connect Endpoint with a public IP on the instances
    4. Configure a VPN connection from the corporate network
  6. A solutions architect needs to allow developers to connect via SSH to EC2 instances in a private subnet that has no internet gateway and no NAT gateway. The instances do not have public IP addresses. Which solution requires the LEAST operational overhead?
    1. Deploy a bastion host in a public subnet and configure security groups
    2. Set up an AWS Site-to-Site VPN connection
    3. Create an EC2 Instance Connect Endpoint in the VPC
    4. Configure AWS Direct Connect with a private virtual interface
  7. An enterprise wants to implement zero trust access to their internal applications and SSH-based administration of EC2 instances. Access should be granted based on user identity and device security posture without using a VPN or bastion host. Which AWS service meets these requirements?
    1. AWS Systems Manager Session Manager
    2. EC2 Instance Connect Endpoint
    3. AWS Verified Access
    4. AWS Client VPN
  8. Which of the following are valid modern alternatives to using a bastion host for accessing private EC2 instances? (Select THREE)
    1. AWS Systems Manager Session Manager
    2. Amazon Inspector
    3. EC2 Instance Connect Endpoint
    4. AWS Config
    5. AWS Verified Access with non-HTTP protocol support

Related Posts

AWS Consolidated Billing – Multi-Account Savings

AWS Consolidated Billing

  • Consolidated billing enables consolidating payments from multiple AWS accounts (Linked or Member Accounts) within the organization to a single account by designating it to be the Management (formerly Payer) Account.
  • Every organization in AWS Organizations has a management account that pays the charges of all the member accounts.
  • Consolidated billing is automatically enabled when you create an AWS Organization and is offered at no additional cost.
  • Consolidate billing
    • is strictly an accounting and billing feature.
    • allows receiving a combined view of charges incurred by all the associated accounts as well as each of the accounts.
    • is not a method for controlling accounts, or provisioning resources for accounts.
  • Management account is billed for all charges of the member accounts.
  • Each linked account is still an independent account in every other way.
  • AWS Organization Consolidated Billing feature does not allow the Management account to access data belonging to the linked account owners. All Features mode needs to be enabled for organizational policies.
  • However, access to the Management account users can be granted through Cross-Account Access roles.
  • AWS limits work on the account level only and AWS support is per account only.
  • All workload resources should reside only within member accounts and no resource should be created in the management account (AWS Well-Architected best practice).

Consolidated Billing Process

  • AWS Organizations provides consolidated billing so that the combined costs of all the member accounts in your organization can be tracked.
  • Create an Organization.
  • Create member accounts or invite existing accounts to join the organization.
  • Each month AWS charges your management account for all the member accounts in a consolidated bill.
  • The consolidated bill is available within minutes and includes detailed breakdowns by account, service, and region.

Consolidated Billing Scenarios

  • Have multiple accounts and want to get a single bill and track each account’s charges for e.g. multiple projects, each with its own AWS account or separate environments (Dev, Prod) within the same project.
  • Have multiple cost centers to track.
  • Have acquired a project or company with its own existing AWS account and you want a consolidated bill with your other AWS accounts.
  • Have multiple organizations and want centralized billing management across them (using AWS Billing Transfer).

Consolidated Billing Benefits

  • One Bill
    • A single bill with a combined view of AWS costs incurred by all accounts is generated.
  • Easy Tracking
    • Detailed cost reports & charges for each of the individual AWS accounts associated with the management account can be easily tracked.
    • Use Cost Allocation Tags to categorize and track costs; tags are included in the detailed billing report.
  • Combined Usage & Volume Discounts
    • Charges might actually decrease because AWS combines usage from all the accounts to qualify you for volume pricing discounts.
  • Free Tier
    • Customers that use Consolidated Billing to consolidate payment across multiple accounts will only have access to one free usage tier and it is not combined across accounts.
  • No Extra Cost
    • Consolidated billing is offered at no additional cost.

Volume Pricing Discounts

  • For billing purposes, AWS treats all the accounts in the organization on the consolidated bill as if they were one account.
  • AWS combines the usage from all accounts to determine which volume pricing tiers to apply, giving you a lower overall price whenever possible.
  • This applies to services with tiered pricing such as S3 storage, data transfer, and DynamoDB.

Volume Discounts Example

  • Example AWS Pricing – AWS charges $0.17/GB for the first 10 TB of data transfer out used, and $0.13/GB for the next 40 TB used that translates into $174.08 per TB for the first 10 TB, and $133.12 per TB for the next 40 TB.
  • Usage – Bob uses 8 TB of data transfer out during the month, and Susan uses 4 TB (for a total of 12 TB used).
  • Actual Individual Bill – AWS would have charged Bob and Susan each $174.08 per TB for their usage, for a total of $2088.96.
  • Volume Discount Bill – Combined 12 TB total that Bob and Susan used, would cost the management account ($174.08 * 10 TB) + ($133.12 * 2 TB) = $1740.80 + $266.24 = $2007.04.

Reserved Instances and Savings Plans Sharing

  • All member accounts in an Organization on a consolidated bill can receive the hourly cost-benefit of Reserved Instances (RIs) and Savings Plans that are purchased by any other account.
  • The management account of an organization can turn off Reserved Instance and Savings Plans discount sharing for any accounts in that organization, including the management account.
  • RIs and Savings Plans discounts aren’t shared between any accounts that have sharing turned off. To share an RI or Savings Plans discount with an account, both accounts must have sharing turned on.
  • For e.g., Bob and Susan each have an account on Bob’s consolidated bill. Susan has 5 Reserved Instances of the same type, and Bob has none. During one particular hour, Susan uses 3 instances and Bob uses 6, for a total of 9 instances used on Bob’s consolidated bill. AWS will bill 5 as Reserved Instances, and the remaining 4 as normal instances.

RI and Savings Plans Group Sharing (Nov 2025)

  • RISP Group Sharing provides granular control over how AWS commitments (RIs and Savings Plans) are shared across accounts within an organization.
  • Allows defining groups of accounts (using AWS Cost Categories) based on business units, projects, regions, or funding sources.
  • Two sharing options:
    • Prioritized Group Sharing – Applies commitments to defined groups first, then shares unused capacity organization-wide.
    • Restricted Group Sharing – Keeps commitments exclusively within defined groups for complete isolation when strict boundaries are required.
  • Addresses the challenge of ensuring Reserved Instances and Savings Plans benefit the teams that actually purchased them.
  • When using Billing Transfer, Reserved Instances and Savings Plans apply only to the AWS Organization where they were purchased and cannot be shared across multiple Organizations.

AWS Billing Transfer (Nov 2025)

  • AWS Billing Transfer allows centralized billing management and payment across multiple AWS Organizations.
  • Customers operating in multi-organization environments can designate a single management account to centrally manage and pay bills for multiple organizations.
  • Capabilities include:
    • Centralized invoice collection across organizations.
    • Single payment processing for multiple organizations.
    • Detailed cost analysis spanning multiple organizations.
  • Individual management accounts maintain complete security autonomy over their organizations.
  • Integrated with AWS Billing Conductor to control how cost data is viewed by organizations and implement advanced cost allocation strategies.
  • Pricing:
    • AWS managed pricing plan – No additional cost.
    • Customer managed pricing plan – $50/month per AWS Organization.
    • Free trial available through May 31, 2026.
  • Available in all public AWS Regions (excluding GovCloud (US), China Beijing, and China Ningxia).

AWS Billing View & Custom Billing Views (2024-2025)

  • AWS Billing View enables scoping and securely sharing exact cost and usage data access levels with stakeholders.
  • Custom Billing Views represent a filtered view of cost management data that can be:
    • Shared with member accounts within an organization, giving business unit owners access to their cost data without management account access.
    • Shared with accounts outside the organization (multi-source views).
    • Combined from multiple organizations into consolidated multi-source views.
  • Accessible through AWS Cost Explorer and AWS Budgets.
  • Enables cross-account cost visibility in AWS Budgets without requiring management account access.

AWS Cost and Usage Report (CUR 2.0) & Data Exports

  • AWS Data Exports enables creating recurring exports of billing and cost management data to S3.
  • CUR 2.0 is gradually replacing the Legacy Cost and Usage Report with improvements:
    • Static schema for easier data ingestion.
    • Additional columns (usage account name, billing account name).
    • Collapsed columns to reduce data sparsity.
    • Supports FOCUS 1.2 specification for open-source cost data formatting.
  • In AWS Organizations, both management accounts and member accounts can create Cost and Usage Reports.
  • Split Cost Allocation Data enables cost visibility for containerized workloads (ECS tasks, EKS pods, AWS Batch jobs) across the entire consolidated billing family, including CPU, memory, and GPU/accelerator resource allocation.

Consolidated Billing Best Practices

  • Paying account should be used solely for accounting and billing purposes
  • Consolidated billing works best with Resource tagging, as tags are included in the detailed billing report, which enables cost to be analyzed and decomposed across multiple dimensions and aggregation levels.
  • Paying account owners should secure their accounts by using MFA (multi-factor authentication) and a strong password

Consolidated Billing Best Practices (Current)

  • Management account should be used solely for billing, governance, and organizational management—no workload resources should be created in it.
  • Use Cost Allocation Tags to categorize and track costs; tags are included in the detailed billing report for analysis across multiple dimensions.
  • Secure the management account with MFA, a strong password, and minimal IAM users.
  • Use AWS Budgets to set cost thresholds and receive alerts.
  • Use Billing View to delegate cost visibility to business unit owners without sharing management account access.
  • Leverage RISP Group Sharing to align commitment discounts with the business units that purchased them.
  • Use Service Control Policies (SCPs) with All Features mode for governance and access control.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. An organization is planning to create 5 different AWS accounts considering various security requirements. The organization wants to use a single payee account by using the consolidated billing option. Which of the below mentioned statements is true with respect to the above information?
    • Master (Payee) account will get only the total bill and cannot see the cost incurred by each account
    • Master (Payee) account can view only the AWS billing details of the linked accounts
    • It is not recommended to use consolidated billing since the payee account will have access to the linked accounts
    • Each AWS account needs to create an AWS billing policy to provide permission to the payee account
  2. An organization has setup consolidated billing with 3 different AWS accounts. Which of the below mentioned advantages will organization receive in terms of the AWS pricing?
    • The consolidated billing does not bring any cost advantage for the organization
    • All AWS accounts will be charged for S3 storage by combining the total storage of each account
    • EC2 instances of each account will receive a total of 750*3 micro instance hours free
    • The free usage tier for all the 3 accounts will be 3 years and not a single year
  3. An organization has added 3 of his AWS accounts to consolidated billing. One of the AWS accounts has purchased a Reserved Instance (RI) of a small instance size in the us-east-1a zone. All other AWS accounts are running instances of a small size in the same zone. What will happen in this case for the RI pricing?
    • Only the account that has purchased the RI will get the advantage of RI pricing
    • One instance of a small size and running in the us-east-1a zone of each AWS account will get the benefit of RI pricing
    • Any single instance from all the three accounts can get the benefit of AWS RI pricing if they are running in the same zone and are of the same size
    • If there are more than one instances of a small size running across multiple accounts in the same zone no one will get the benefit of RI
  4. An organization is planning to use AWS for 5 different departments. The finance department is responsible to pay for all the accounts. However, they want the cost separation for each account to map with the right cost centre. How can the finance department achieve this?
    • Create 5 separate accounts and make them a part of one consolidated billing
    • Create 5 separate accounts and use the IAM cross account access with the roles for better management
    • Create 5 separate IAM users and set a different policy for their access
    • Create 5 separate IAM groups and add users as per the department’s employees
  5. An AWS account wants to be part of the consolidated billing of his organization’s payee account. How can the owner of that account achieve this?
    • The payee account has to request AWS support to link the other accounts with his account
    • The owner of the linked account should add the payee account to his master account list from the billing console
    • The payee account will send a request to the linked account to be a part of consolidated billing (Check Process)
    • The owner of the linked account requests the payee account to add his account to consolidated billing
  6. You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use separate AWS accounts to host each environment. You plan to link each accounts bill to a Master AWS account using Consolidated Billing. To make sure you keep within budget you would like to implement a way for administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts. Identify which option will allow you to achieve this goal.
    • Create IAM users in the Master account with full Admin permissions. Create cross-account roles in the Dev and Test accounts that grant the Master account access to the resources in the account by inheriting permissions from the Master account.
    • Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the Dev and Test accounts.
    • Create IAM users in the Master account. Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access.
    • Link the accounts using Consolidated Billing. This will give IAM users in the Master account access to resources in the Dev and Test accounts
  7. When using consolidated billing there are two account types. What are they?
    • Paying account and Linked account
    • Parent account and Child account
    • Main account and Sub account.
    • Main account and Secondary account.
  8. A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its divisions. The divisions want to maintain administrative control of the discrete AWS resources they consume and keep those resources separate from the resources of other divisions. Which of the following options, when used together will support the autonomy/control of divisions while enabling corporate IT to maintain governance and cost oversight? Choose 2 answers
    • Use AWS Consolidated Billing and disable AWS root account access for the child accounts. (Need to link accounts and disabling root access is just a best practice)
    • Enable IAM cross-account access for all corporate IT administrators in each child account. (Provides IT governance)
    • Create separate VPCs for each division within the corporate IT AWS account.
    • Use AWS Consolidated Billing to link the divisions’ accounts to a parent corporate account (Will provide cost oversight)
    • Write all child AWS CloudTrail and Amazon CloudWatch logs to each child account’s Amazon S3 ‘Log’ bucket (Preferred approach would be to store logs from multiple accounts to a single S3 bucket with CloudTrail for IT Governance and CloudWatch alerts for Cost Oversight)
  9. An organization has 10 departments. The organization wants to track the AWS usage of each department. Which of the below mentioned options meets the requirement?
    1. Setup IAM groups for each department and track their usage
    2. Create separate accounts for each department, but use consolidated billing for payment and tracking
    3. Create separate accounts for each department and track them separately
    4. Setup IAM users for each department and track their usage
  10. A large enterprise operates multiple AWS Organizations for different business units. They want to centralize invoice collection and payment processing while allowing each organization to maintain security autonomy. Which AWS feature should they use?
    • Create a single AWS Organization and move all accounts into it
    • Use IAM cross-account roles to access billing in each organization
    • Use AWS Billing Transfer to designate a single management account to centrally manage billing across multiple organizations
    • Enable consolidated billing in each organization and manually combine invoices
  11. An organization has purchased Reserved Instances in Account A for the engineering team. They want to ensure the RI discounts benefit only the engineering team’s accounts (A, B, and C) and are NOT shared with other accounts in the organization. Which approach provides the most granular control?
    • Turn off RI sharing in the management account for all non-engineering accounts
    • Purchase Reserved Instances in a separate organization with only engineering accounts
    • Use Reserved Instances and Savings Plans Group Sharing with Restricted Group Sharing to limit discount sharing to the engineering group only
    • Create a Service Control Policy to prevent other accounts from using Reserved Instances
  12. A company wants to give department managers visibility into their team’s AWS costs without providing access to the management account. Which AWS feature enables this?
    • Share IAM credentials for the management account billing console
    • Create Custom Billing Views and share them with department manager accounts
    • Enable all member accounts to create their own Cost and Usage Reports
    • Use AWS Billing Conductor to create separate pro forma bills

References

AWS Support Tiers – Certification

AWS Support Plans

⚠️ Major Update: AWS Support Plans Restructured (Dec 2025)

At AWS re:Invent 2025, AWS announced a fundamental restructuring of Support Plans. The legacy Developer, Business, and Enterprise On-Ramp plans will be discontinued on January 1, 2027.

New Plan Structure:

  • Basic (free) — unchanged, included for all accounts
  • Business Support+ — replaces Developer and Business (from $29/month)
  • Enterprise Support — enhanced with AI capabilities (from $5,000/month)
  • Unified Operations — new top-tier for mission-critical workloads (from $50,000/month)

All new plans combine AI-powered capabilities with AWS human expertise for proactive, rather than reactive, support.

Current AWS Support Plans (2025+)

AWS now provides four Support tiers — one free tier and three paid plans. Support is per AWS Account (except Enterprise and Unified Operations which aggregate across accounts).

Basic Support (Free)

  • Included for all AWS customers at no additional charge
  • Customer Service: 24/7 access to account and billing questions
  • AWS re:Post community access
  • AWS Health Dashboard — personalized view of service health
  • AWS Trusted Advisor — core checks only (service limits)
  • Documentation, whitepapers, and best-practice guides

Business Support+ (from $29/month)

  • All features from Basic Support
  • AI-powered contextual recommendations — 24/7 intelligent troubleshooting
  • AWS DevOps Agent integration — credits equal to 30% of Support charge
  • 24/7 phone, web, chat, and email technical support
  • Unlimited support cases and contacts
  • Response times:
    • Business/Mission-critical system down: < 30 minutes
    • Production system down: < 1 hour
    • Production system impaired: < 4 hours
    • System impaired: < 12 hours
    • General guidance: < 24 hours
  • Full set of AWS Trusted Advisor checks
  • Contextual architectural guidance for your use cases
  • Third-party software support
  • AWS Support API for automated case management
  • AWS Support App in Slack
  • AWS Support Automation Workflows
  • AWS Health API access
  • IAM for controlling access to AWS Support
  • Pricing: Greater of $29/month or tiered: 9% (first $10K), 7% ($10K-$80K), 5% ($80K-$250K), 3% (over $250K)

Enterprise Support (from $5,000/month)

  • All features from Business Support+
  • Designated Technical Account Manager (TAM) — deep AWS knowledge with data-driven insights
  • AWS DevOps Agent integration — credits equal to 75% of Support charge
  • AWS Security Incident Response — included at no additional cost
  • Response times:
    • Business/Mission-critical system down: < 15 minutes
    • Production system down: < 1 hour
    • Production system impaired: < 4 hours
    • System impaired: < 12 hours
    • General guidance: < 24 hours
  • AWS Trusted Advisor Priority — prioritized and contextual recommendations
  • AWS Well-Architected Reviews
  • Proactive security reviews
  • Infrastructure event management and planned events support
  • White-glove billing concierge
  • Personalized strategic support plan
  • Consultative architectural reviews and guidance
  • Interactive programs and hands-on workshops
  • Pricing: Greater of $5,000/month or tiered: 10% (first $150K), 7% ($150K-$500K), 5% ($500K-$1M), 3% (over $1M)

Unified Operations (from $50,000/month)

  • All features from Enterprise Support
  • Designated team: TAM + Domain Specialist Engineers + Senior Billing and Account Specialist + Incident Management Engineers
  • AWS DevOps Agent integration — credits equal to 100% of Support charge
  • Response times:
    • Business/Mission-critical system down: < 5 minutes (from Incident Management Engineer)
    • Production system down: < 1 hour
    • Production system impaired: < 4 hours
    • System impaired: < 12 hours
    • General guidance: < 24 hours
  • 24/7 proactive workload monitoring
  • Continuous architectural reviews with designated domain specialists
  • Customized proactive services and resiliency reviews
  • Critical Workload Reviews
  • AWS Countdown Premium included (one subscription per month)
  • AWS Incident Detection and Response included
  • Global TAM coverage
  • Pricing: Greater of $50,000/month or tiered: 10% (first $1M), 6% ($1M-$5M), 5% (over $5M)

Legacy Plans (Discontinued January 1, 2027)

⚠️ The following plans are being discontinued on January 1, 2027. Existing subscribers can continue using them until that date or transition to new plans at any time.

Developer Support (Legacy)

  • All features from Basic Support
  • Best-practice guidance
  • Client-side diagnostic tools
  • Building-block architecture support
  • Business hours email access to Cloud Support Associates
  • Migration path: → Business Support+ ($29/month minimum)

Business Support (Legacy)

  • All features from Developer Support
  • Phone/Email/Chat support, 1 hour response time for production system down
  • Use-case guidance
  • AWS Trusted Advisor — full set of checks
  • Support API access
  • Third-party software support
  • IAM for AWS Support access
  • Migration path: → Business Support+ ($29/month minimum, improved 30-min response time)

Enterprise On-Ramp (Legacy)

  • All features from Business Support
  • Pool of TAMs (shared, not designated)
  • 30-minute response time for critical issues
  • Concierge support team
  • Migration path: → Enterprise Support ($5,000/month — automatic upgrade during 2026)

Support Plan Comparison

Feature Basic Business Support+ Enterprise Unified Operations
Pricing Free From $29/month From $5,000/month From $50,000/month
Critical Response Time < 30 minutes < 15 minutes < 5 minutes
Technical Support 24/7 phone, web, chat 24/7 phone, web, chat 24/7 phone, web, chat
AI-Powered Assistance
Trusted Advisor Core checks Full checks Full + Priority Full + Priority
TAM Designated Designated + Team
Well-Architected Reviews
Security Incident Response Additional fee Included Included
Proactive Monitoring 24/7 workload monitoring
Third-Party Software Support

Key Changes from Legacy to New Plans

  • Business Support+ replaces both Developer and Business Support
    • Lower minimum: $29/month (was $100/month for Business)
    • Faster critical response: 30 minutes (was 1 hour)
    • New AI-powered troubleshooting and recommendations
    • AWS DevOps Agent integration included
  • Enterprise Support (enhanced)
    • Lower minimum: $5,000/month (was $15,000/month)
    • AWS Security Incident Response now included at no additional cost
    • AWS DevOps Agent credits (75% of Support charge)
    • Enhanced AI-powered insights for TAMs
  • Unified Operations (new tier — replaces Enterprise On-Ramp position conceptually at the top)
    • 5-minute response time for critical issues
    • Dedicated team: TAM + Domain Engineers + Billing Specialist + Incident Engineers
    • 24/7 proactive workload monitoring
    • AWS Countdown Premium and Incident Detection & Response included
  • Enterprise On-Ramp discontinued — customers automatically upgraded to Enterprise Support during 2026

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. What are the four levels of AWS Premium Support?
    • Basic, Developer, Business, Enterprise [Note: Legacy plans. New structure (2025+) is Basic, Business Support+, Enterprise, Unified Operations]
    • Basic, Startup, Business, Enterprise
    • Free, Bronze, Silver, Gold
    • All support is free
  2. What is the maximum response time for a Business level Premium Support case with a production system down?
    • 120 seconds
    • 1 hour [Note: With new Business Support+, critical response time is 30 minutes]
    • 10 minutes
    • 12 hours
  3. A company requires a dedicated Technical Account Manager (TAM) and a response time of less than 15 minutes for business-critical system issues. Which AWS Support plan should they choose?
    • Business Support+
    • Enterprise Support
    • Unified Operations
    • Basic Support
  4. Which AWS Support plan provides AI-powered contextual recommendations and 24/7 technical support starting at $29/month?
    • Basic Support
    • Developer Support
    • Business Support+
    • Enterprise Support
  5. A large enterprise needs 5-minute response times for mission-critical incidents, designated domain specialist engineers, and 24/7 proactive workload monitoring. Which AWS Support plan meets these requirements?
    • Business Support+
    • Enterprise Support
    • Unified Operations
    • Enterprise On-Ramp
  6. Which AWS Support plans include AWS Trusted Advisor with the full set of checks? (Select TWO)
    • Basic Support
    • Business Support+
    • Enterprise Support
    • Developer Support
  7. Which AWS Support plan includes AWS Security Incident Response at no additional cost?
    • Basic Support
    • Business Support+
    • Enterprise Support
    • Developer Support
  8. A startup wants the minimum AWS Support plan that provides 24/7 phone access to cloud support engineers. Which plan should they choose?
    • Basic Support
    • Developer Support
    • Business Support+
    • Enterprise Support

References