AWS StudySAA-C03 Prep

Cheat Sheets

Quick-reference tables for SAA-C03 — services, limits, comparisons.

S3 Storage Classes

S3
ClassMin DurationRetrievalUse Case
StandardNoneInstantFrequently accessed
Intelligent-TieringNoneInstantUnknown access pattern
Standard-IA30 daysInstantInfrequent, rapid access
One Zone-IA30 daysInstantInfrequent, non-critical
Glacier Instant90 daysInstantArchive, ms retrieval
Glacier Flexible90 daysMin – 12 hArchive, flexible retrieval
Glacier Deep Archive180 days12 – 48 hLong-term archive, cheapest

Standard-IA and One Zone-IA charge a retrieval fee per GB.

S3 Replication

S3
FeatureCRRSRR
Full nameCross-Region ReplicationSame-Region Replication
Bucket ownerDifferent regionsSame region
Use caseDR, latencyLog aggregation, compliance
Versioning requiredBoth bucketsBoth buckets
Delete marker replicationOptionalOptional

EC2 Instance Families

EC2
FamilyOptimized ForExamples
TBurstable (baseline CPU)T3, T4g
MGeneral purposeM6i, M7g
CCompute (high CPU)C6g, C7i
RMemory (high RAM)R6g, R7i
XExtreme memoryX2idn
IStorage (NVMe SSD)I3, I4i
DDense HDD storageD3
P / G / InfGPU / ML / InferenceP4, G5, Inf2
HHigh disk throughputH1

EC2 Purchasing Options

EC2
TypeDiscountBest For
On-DemandShort-term, unpredictable workloads
Reserved (1 yr)up to 40%Steady-state, known usage
Reserved (3 yr)up to 60%Long-term commitment
Savings Plansup to 66%Flexible family/region
Spotup to 90%Fault-tolerant, batch, stateless
Dedicated InstanceCompliance (no shared hardware)
Dedicated HostBYOL eligiblePer-socket licensing, compliance

Spot instances can be interrupted with 2-minute warning.

EC2 Storage Options

EC2
TypePersistenceUse Case
Instance StoreEphemeral (lost on stop)Temp buffers, caches
EBS gp3PersistentGeneral purpose boot/data
EBS io2PersistentHigh IOPS databases
EBS st1PersistentThroughput (logs, big data)
EBS sc1PersistentCold, infrequently accessed
EFSPersistent, sharedMulti-AZ shared filesystem
FSx for WindowsPersistent, sharedWindows SMB workloads
FSx for LustrePersistent, sharedHPC, ML training

Load Balancer Types

ELB / ASG
TypeOSI LayerProtocolsTargets
ALB7 (Application)HTTP, HTTPS, gRPCInstance, IP, Lambda
NLB4 (Transport)TCP, UDP, TLSInstance, IP, ALB
GLB3 (Network)IP packetsInstance, IP (appliances)
CLB (legacy)4 + 7HTTP, TCPInstance only

Only ALB supports path-based and host-based routing.

Auto Scaling Policy Types

ELB / ASG
PolicyTriggerNotes
Simple ScalingCloudWatch alarmCooldown period required
Step ScalingCloudWatch alarmDifferent steps per breach size
Target TrackingKeep metric at targetRecommended, automatic
ScheduledTime-basedPredictable load patterns
PredictiveML forecastProactive, SAA-C03 exam topic

RDS vs Aurora

RDS
FeatureRDSAurora
EnginesMySQL, PG, Oracle, SQL Server, MariaDBMySQL, PostgreSQL
Storage scalingManual (up to 64 TB)Auto (up to 128 TB)
Read replicasUp to 5Up to 15
Failover time~60–120 s~30 s
ReplicationAsyncSync (shared storage)
Multi-AZStandby replicaNative, all replicas
CostLowerUp to 5× more (but faster)

RDS Backup & Recovery

RDS
FeatureAutomated BackupManual Snapshot
Retention0–35 daysIndefinite
Deleted on instance deleteYes (configurable)No
Point-in-time restoreYes (5 min granularity)No
Cross-region copyNo (use snapshot)Yes

DynamoDB Key Concepts

DynamoDB
ConceptDetail
Primary key typesPartition key only | Partition key + Sort key
Read modesEventually consistent (default), Strongly consistent
Capacity modesProvisioned (predictable) | On-demand (spiky)
GSIGlobal Secondary Index — different partition key, own RCU/WCU
LSILocal Secondary Index — same partition key, different sort key
DynamoDB StreamsOrdered change log per item (24 h retention)
DAXIn-memory cache, microsecond reads, no code change
TTLAuto-delete expired items, no extra cost
Global TablesMulti-region active-active replication

SQS vs SNS vs EventBridge

SQS / SNS
FeatureSQSSNSEventBridge
ModelQueue (pull)Pub/Sub (push)Event bus (push)
Message persistenceUp to 14 daysNoNo
ConsumersOne (or competing)Many (fan-out)Many (rules)
Message filteringNoAttribute-basedPattern matching
FIFO supportYes (SQS FIFO)Yes (SNS FIFO)No
Dead-letter queueYesYesYes
3rd-party eventsNoNoYes (Shopify, Zendesk…)

SQS Standard: at-least-once, out-of-order. FIFO: exactly-once, ordered.

Lambda Limits

Lambda
LimitValue
Max execution time15 minutes
Memory128 MB – 10 GB
/tmp storage512 MB – 10 GB
Sync payload (request/response)6 MB
Async payload256 KB
Default concurrency per region1,000 (soft limit)
Layers5 per function
Deployment package (zip)50 MB
Deployment package (unzipped)250 MB
Environment variables4 KB total

Lambda Invocation Types

Lambda
TypeSourceRetry
SynchronousAPI GW, ALB, CLICaller handles
AsynchronousS3, SNS, EventBridge2 retries built-in
Event source mappingSQS, Kinesis, DynamoDB StreamsAutomatic (DLQ optional)

IAM Key Concepts

IAM
ConceptDescription
UserLong-term identity with credentials
GroupCollection of users sharing policies
RoleTemporary credentials, assumed by services/users
Policy (identity-based)Attached to user/group/role
Policy (resource-based)Attached to resource (e.g. S3 bucket, SQS queue)
Permission BoundaryMaximum permissions a user/role can have
SCP (Service Control Policy)AWS Org guardrails — deny only, apply to OUs
Session PolicyPassed at AssumeRole, limits effective permissions

Evaluation order: Deny > SCP > Resource > Identity > Boundary > Session.

VPC Components

VPC
ComponentDescription
VPCIsolated virtual network scoped to a region
SubnetAZ-specific segment of a VPC (public or private)
Route TableRules controlling traffic routing per subnet
Internet Gateway (IGW)Enables public internet access for a VPC
NAT GatewayOutbound internet for private subnets (managed, HA)
Security GroupStateful firewall at instance level (allow rules only)
NACLStateless firewall at subnet level (allow + deny rules)
VPC PeeringPrivate link between two VPCs (non-transitive)
Transit GatewayHub-and-spoke for many VPCs + on-prem
PrivateLink / EndpointPrivate access to AWS services without IGW
VPN GatewaySite-to-site IPSec VPN to on-prem
Direct ConnectDedicated physical link to on-prem

Security Groups are stateful (return traffic auto-allowed). NACLs are stateless.

Security Group vs NACL

VPC
FeatureSecurity GroupNACL
ScopeInstance (ENI)Subnet
StatefulYesNo
RulesAllow onlyAllow + Deny
Rule processingAll rules evaluatedFirst match wins (numbered)
DefaultDeny all inboundAllow all
Applies toEC2, RDS, Lambda in VPCAll resources in subnet

CloudFront Key Facts

CloudFront
FeatureDetail
Edge locations400+ worldwide
Origin typesS3, ALB, EC2, any HTTP endpoint
Default TTL24 hours (configurable per behavior)
SSL certificate regionMust be in us-east-1 (ACM)
Geo restrictionAllowlist or blocklist by country
Cache invalidationCosts money — use versioned filenames instead
CloudFront FunctionsLightweight JS — viewer request/response only
Lambda@EdgeFull Lambda — all 4 event types, more powerful
Signed URLs / CookiesRestrict content to authorized users
Origin Access ControlRestricts S3 to CloudFront only (replaces OAI)

Route 53 Routing Policies

Route 53
PolicyUse CaseHealth Check
SimpleSingle resource, no logicNo
WeightedA/B testing, canary deploysOptional
LatencyRoute to lowest-latency regionOptional
FailoverActive-passive disaster recoveryRequired
GeolocationRoute by user's country/continentOptional
GeoproximityShift traffic by geographic biasOptional
Multivalue AnswerReturn up to 8 healthy recordsOptional
IP-basedRoute by CIDR / ISPOptional

Geolocation routes by location; Latency routes by response time — different!

CloudWatch vs CloudTrail vs Config

CloudWatch
ServicePurposeWhat It Answers
CloudWatch MetricsResource performance monitoring"Is my EC2 CPU high?"
CloudWatch LogsLog aggregation & querying"What did my app log?"
CloudWatch AlarmsAlert on metric thresholds"Notify me when CPU > 80%"
CloudTrailAPI call audit log (who did what)"Who deleted that S3 bucket?"
AWS ConfigResource config history + compliance"Was my SG ever open to 0.0.0.0?"

CloudTrail is for auditing; CloudWatch is for monitoring.

Common Ports

General
PortProtocol / Service
22SSH
80HTTP
443HTTPS
3306MySQL / Aurora MySQL
5432PostgreSQL / Aurora PostgreSQL
1433Microsoft SQL Server
3389RDP (Windows)
6379Redis (ElastiCache)
11211Memcached (ElastiCache)
27017MongoDB
2049NFS (EFS)
8080HTTP alternate

AWS Security Services

General
ServicePurpose
Shield StandardFree automatic DDoS protection
Shield AdvancedEnhanced DDoS + WAF integration ($3,000/mo)
WAFWeb Application Firewall — L7 rules (SQL injection, XSS)
GuardDutyThreat detection using ML on logs (VPC, DNS, CloudTrail)
InspectorAutomated vulnerability scanning (EC2, Lambda, ECR)
MacieS3 sensitive data discovery (PII, credentials)
Security HubAggregated security findings across accounts
DetectiveRoot-cause analysis for security findings
KMSManaged encryption key service
Secrets ManagerAutomatic secrets rotation + retrieval
ACMFree SSL/TLS certificates for AWS services
CognitoUser auth / federation for web & mobile apps

Disaster Recovery Strategies

General
StrategyRTO / RPOCostDescription
Backup & RestoreHours$Backups to S3, restore when needed
Pilot LightTens of minutes$$Core services running, scale on failover
Warm StandbyMinutes$$$Scaled-down full environment, ready to scale
Multi-Site Active/ActiveSeconds$$$$Full production in multiple regions

RTO = Recovery Time Objective (downtime). RPO = Recovery Point Objective (data loss).

ECS Launch Types

ECS / Fargate
FeatureECS on EC2ECS on Fargate
Infrastructure managementYou manage EC2 instancesAWS manages (serverless)
PricingPay for EC2 instancesPay per vCPU/memory per second
ControlFull host-level controlTask-level only
Spot savingsEC2 Spot InstancesFargate Spot
GPU supportYesNo
Best forStable, predictable workloadsSpiky / variable workloads

ECS on EC2 requires managing AMIs, patching, and capacity. Fargate removes all that overhead.

ECS vs EKS

ECS / Fargate
FeatureECSEKS
OrchestratorAWS proprietaryKubernetes (CNCF standard)
Learning curveLowerHigher
PortabilityAWS onlyMulti-cloud / on-prem
Fargate supportYesYes
CostNo control plane fee$0.10/hr per cluster
Best forSimpler AWS-native appsK8s expertise / portability needed

Redis vs Memcached

ElastiCache
FeatureRedisMemcached
Data persistenceYes (RDB + AOF)No
Replication / Multi-AZYesNo
Pub/Sub messagingYesNo
Complex data typesYes (lists, sets, hashes)Strings only
Multi-threadingSingle-threadedMulti-threaded
Cluster modeYes (sharding)Yes (horizontal)
Use caseSessions, leaderboards, queuesSimple high-throughput cache

Choose Redis when you need durability, replication, or complex data structures.

Kinesis Services Comparison

Kinesis
ServicePurposeLatencyKey Detail
Data StreamsReal-time custom processing~200 msShards; replay up to 365 days
Data FirehoseLoad to S3/Redshift/OpenSearch60 s – 15 minNo code; auto-scales
Data AnalyticsSQL / Apache Flink on streamsSub-secondBuilt on top of Streams or Firehose
Video StreamsIngest video / ML inferenceVariesWebRTC, HLS playback

Kinesis vs SQS: use Kinesis for ordered, replay-capable streaming; SQS for decoupled queuing.

API Gateway Types

API Gateway
FeatureREST APIHTTP APIWebSocket API
Cost$$$$$
LatencyHigherLower (~60%)Persistent connection
Cognito authYesYesYes
API keys / usage plansYesNoNo
Request validationYesNoNo
CachingYesNoNo
VPC LinkYesYesNo
Best forFull features neededLow-cost simple APIsReal-time two-way comms

HTTP API is ~70% cheaper than REST API. Choose REST API only when you need caching, request validation, or usage plans.

User Pools vs Identity Pools

Cognito
FeatureUser PoolsIdentity Pools
PurposeAuthentication (who are you?)Authorization (what can you access?)
IssuesJWT tokens (ID, Access, Refresh)Temporary AWS credentials (STS)
FederationSAML, OIDC, social loginsUser Pools, social, SAML, custom
AWS resource accessNoYes (via IAM roles)
MFA supportYesNo (handled by identity provider)
Use caseApp login / sign-upAccess S3, DynamoDB directly from app

Common pattern: User Pool authenticates → Identity Pool exchanges JWT for temporary AWS credentials.

Shield Standard vs Advanced

WAF / Shield
FeatureShield StandardShield Advanced
CostFree$3,000/month + data transfer
ProtectionLayer 3/4 (SYN floods, UDP)Layer 3/4/7 (+ sophisticated)
DDoS Response Team (SRT)NoYes (24/7 access)
Cost protectionNoYes (DDoS cost credits)
Real-time visibilityLimitedFull CloudWatch metrics
WAF integrationSeparateIncluded WAF fee waived

Shield Advanced is worth it for business-critical apps with high-volume DDoS risk.

CloudTrail vs CloudWatch vs Config

CloudTrail
ServiceAnswersData TypeRetention
CloudTrailWho did what, when, from where?API call audit logs90 days free; S3 for longer
CloudWatchWhat is happening now (metrics/logs)?Metrics, logs, alarmsConfigurable
AWS ConfigWhat did this resource look like at time X?Resource config historyConfigurable

CloudTrail = audit; CloudWatch = operational monitoring; Config = compliance and config history.

Secrets Manager vs SSM Parameter Store

Secrets Manager
FeatureSecrets ManagerSSM Parameter Store
Cost$0.40/secret/monthFree (Standard); $0.05/10k API calls (Advanced)
Auto rotationYes (built-in for RDS, etc.)No (manual or custom Lambda)
Cross-account accessYesNo
Max size64 KB4 KB (Standard) / 8 KB (Advanced)
KMS encryptionAlwaysOptional (SecureString)
Best forDB credentials needing rotationConfig values, non-secret params

If automatic rotation is required → Secrets Manager. For static config or cost sensitivity → Parameter Store.

Standard vs Express Workflows

Step Functions
FeatureStandardExpress
Max duration1 year5 minutes
Execution rate2,000/sec100,000/sec
PricingPer state transitionPer execution + duration
Execution historyFull audit (90 days)CloudWatch only
IdempotencyAt-most-onceAt-least-once
Best forLong-running, auditable workflowsHigh-throughput, short IoT/streaming jobs

Standard workflows guarantee exactly-once execution; Express workflows may execute more than once.

EventBridge vs SNS vs SQS

EventBridge
FeatureEventBridgeSNSSQS
ModelEvent routerPub/Sub fan-outQueue
FilteringRich content-based filteringAttribute-based onlyNone
Targets20+ AWS servicesSubscribers (Lambda, SQS, HTTP)One consumer group
SaaS eventsYes (partner integrations)NoNo
OrderingNoNoYes (FIFO)
RetentionNone (fire and forget)NoneUp to 14 days
Best forDecoupled event routingFan-out notificationsDurable queuing

EventBridge is the evolution of CloudWatch Events. Use it when you need content-based routing to multiple targets.

SCPs vs IAM Policies

Organizations / SCP
AspectSCPsIAM Policies
ScopeAccounts / OUs in OrganizationsUsers, roles, groups in an account
EffectSet maximum permissionsGrant actual permissions
Applies to root user?Yes (restricts root too)No (root bypasses IAM)
Default behaviorImplicit allow if no SCPImplicit deny everything
Attached toRoot, OU, or accountIdentity or resource
Can grant permissions?No (only restrict)Yes

Both an SCP AND an IAM policy must allow an action for it to be permitted.

AWS Organizations Key Concepts

Organizations / SCP
ConceptDescription
Management accountRoot account; pays for all; not affected by SCPs
Member accountsJoined accounts; subject to SCPs
Organizational Unit (OU)Logical grouping of accounts; SCPs inherit down
SCPPolicy that sets permission boundaries for an OU/account
AWS Control TowerAutomates multi-account setup with guardrails
Consolidated billingSingle payment; aggregate usage for Reserved Instance discounts

Direct Connect vs Site-to-Site VPN

Direct Connect / VPN
FeatureDirect ConnectSite-to-Site VPN
Connection typeDedicated private fiberIPsec over public internet
BandwidthUp to 100 GbpsUp to 1.25 Gbps per tunnel
LatencyConsistent, lowVariable (internet)
Setup timeWeeks to monthsMinutes
CostHigher (port + data)Lower ($0.05/hr per VPN)
EncryptionNot by default (add MACsec)Yes (IPsec)
Best forStable high-bandwidth hybrid workloadsQuick setup / DX backup

Common pattern: Direct Connect as primary + Site-to-Site VPN as failover for HA.

Transit Gateway

Direct Connect / VPN
FeatureDetail
PurposeHub-and-spoke network hub for VPCs and on-premises
ReplacesVPC peering mesh (N×(N-1)/2 connections → N connections to TGW)
AttachmentsVPCs, VPNs, Direct Connect Gateways, other TGWs
Inter-region peeringYes (connect TGWs across regions)
Route tablesMultiple route tables for traffic segmentation
MulticastSupported

Use Transit Gateway when you have 5+ VPCs. VPC peering is simpler for 2–4 VPCs.

AWS Config vs CloudTrail vs CloudWatch

AWS Config
ServiceAnswersKey Use Case
AWS ConfigWhat did this resource look like over time?Compliance, config drift
CloudTrailWho made this API call and when?Audit, forensics
CloudWatchIs my system healthy right now?Ops monitoring, alerting

All three are complementary. Use Config for "was this S3 bucket ever public?", CloudTrail for "who changed it?", CloudWatch for "is it up?".

Global Accelerator vs CloudFront

Global Accelerator
FeatureGlobal AcceleratorCloudFront
LayerNetwork (L4 — TCP/UDP)Application (L7 — HTTP/S)
CachingNoYes (CDN)
IP addressesStatic anycast IPs (2)Dynamic (changes per DNS TTL)
ProtocolsTCP, UDPHTTP, HTTPS, WebSocket
Use casesGaming, VoIP, IoT, non-HTTP, static IPWeb content, APIs, video streaming
RoutingAnycast via AWS backboneEdge cache + origin pull
Blue/GreenTraffic dials per endpoint groupLambda@Edge / origins

If the question mentions "static IP" or "non-HTTP" → Global Accelerator. If it mentions "caching" or "content delivery" → CloudFront.

Analytics Services Comparison

Redshift / Athena
ServiceTypeData LocationBest For
AthenaServerless SQLS3 (query in place)Ad-hoc S3 queries, pay-per-query
RedshiftData warehouse (MPP)Redshift cluster / ServerlessFrequent complex analytics
EMRManaged Hadoop/SparkS3, HDFSComplex ETL, ML at scale
GlueServerless ETL + Data CatalogS3, JDBC sourcesData discovery, ETL pipelines
OpenSearchSearch + log analyticsOpenSearch clusterFull-text search, log analysis

Athena + Glue Data Catalog + S3 = standard serverless data lake. Add Redshift for repeated heavy queries.

Athena Cost Optimization

Redshift / Athena
TechniqueSavings
Use columnar format (Parquet/ORC)Up to 87% less data scanned
Partition data in S3 (by date, region)Skip irrelevant partitions
Compress data (Snappy, GZIP)Reduces data scanned
Use workgroupsSet per-query data scan limits
Avoid SELECT *Only scan columns you need

Athena charges $5 per TB scanned. Columnar + partitions is the #1 exam answer for cost reduction.

Elastic Beanstalk Deployment Policies

Elastic Beanstalk
PolicyDowntimeSpeedRollbackExtra Cost
All at onceYesFastestManual redeployNone
RollingNo (partial)SlowManual redeployNone
Rolling + additional batchNoSlowManual redeploySmall (extra instances)
ImmutableNoSlowestTerminate new ASGYes (double instances briefly)
Blue/GreenNoSlowSwap URL backYes (full duplicate env)

For zero downtime + easy rollback → Immutable or Blue/Green. Immutable is safer for production.

42 sheets across all topics