My CheatSheet I Derived While Preparing for the AWS Solution Architect Associate Exam — Part I. (2024)

According to the statistics, given by CertWizard, at most 28% of the AWS SAA-C03 candidates are successful at the first attempt, which leaves a 72% of failure rate [1].

Still, AWS Certificate is a valuable key, that allows you to reach the next level, both in development and knowledge. I really learned a lot while getting ready for the exam, which has indeed broadened my horizons, and got the desired badge.

In this article, I want to share a summary of the training process I’ve derived for myself, with comparison graphs for visualization, that helped me get AWS Certification on the first try.

Note that, you can’t use the cheatsheet during the exam itself.

The exam content outline looks like follows:

All domains include the interconnected AWS Services work and application. Although A Cloud Guru is the best to arrange the services in order:

• IAM and S3
• EC2
• Databases on AWS
• Advanced IAM
• Route 53
• VPCs
• High Availability Architecture
• Applications (SQS, SNS, API Gateway)
• Security
• Serverless

It is not enough for completing the training.

Together with checking the AWS Documentation for terminology and the latest changes, I highly suggest you to check

• Tutorials Dojo, and
• Udemy

both for courses and practice exams. The lecturers are 6x, and 10x AWS Certified geniuses whom I admire a lot.

It is worth noting that, the exams on the platforms do include many details rather than real AWS exam questions, from my perspective.

Yet, practice is what makes perfect — it was solving these practice exams that was quite beneficial for me, both for understanding the concept of the exam and, again, knowledge. In order to keep up everything in mind and connect different AWS Services with the keywords, I’ve prepared the sheet, which was my right hand throughout the whole process.

So, let’s get started with the cheat sheet itself, I’ll go with the order given above. Since the exam area is too wide, I’ve divided the sheet into parts, this one will be dedicated to the first 4 topics: IAM, S3, EC2, EBS.

Note: if you see any symbol or abbreviation, which is not understandable, please visit Abbreviations, symbols, and Appendix section, at the very end of the page.

A global service allowing AWS customers to manage user access and permissions. Available APIs at

• service, and
• resource level (sometimes) within AWS — all global, all across available AWS regions.

Tips to protect a root account:

• enable MFA (multi-factor authentication)
• no use of root user, create an IAM user with access
• do not share root-used access keys, disabling or deleting them is better.

Always go for the least privilege principle — only necessary permissions. New users are created with no permissions.

Policies:

• AWS managed — standalone, administered by AWS.
• Customer managed — standalone, administered by you.
• Inline — embedded in an IAM identity (user/group/role), exists only on IAM identity.

Suggested to use managed policies, not inline, to view all policies in the console.

IAM users → authentication, assumed programmatically, credentials do expire.

IAM policies → authorization, attached to user or groups. User is one user only, Group can have many users.

IAM Federation → combine existing user accounts with AWS, uses SAML, Active Directory.

IAM features:

• fine-grained access
• centralized control of your AWS account

Buckets are region-specific, but bucket names are unique and cannot be repeated across all AWS accounts.

S3 object:

{
 key,
 value,
 version id, 
 metadata
} 

• 0 bytes < size < 5 TB,
• 160 Gb console upload limit, scales automatically on demand. Multi-parts upload recommended for 100Mb, required for >5Gb.

Spread across multiple devices to ensure availability and durability.

Consistency:

• read after write
• eventual consistency

Features:

• lifecycle management, move/delete objects between tiers for cost optimization
• versioning, good for back-up, stores writes and deletes, a must for replication.
• encryption
• MFA
• secure, private by default. Server-side encryption, ACLs, Bucket policies.
• S3 Object Lock, write 1 time, read X times.

Available tiers:

1. Standard (↑ $)

• high availability & durability
• frequent access

2. Standard Infrequent Access (IA)

• pay to access data, rapid but infrequent
• good as storage, not for everyday use

3. S3 One Zone Infrequent Access

• if you don’t worry about redundancy, 1 AZ (Availability Zone)
• 20% less price than 1st one
• good for storing infrequently needed, non-critical data

4. Intelligent Tier

• combination of frequent and IA data for cost saving

5. Glacier (↓$)

• pay to access data
• get data in up to 12 hours

6. Glacier-Deep Archive (↓↓$)

• get data in 12 hours

Encryption:

1. Encryption in Transit

• SSL/TLS
• HTTPS

2. Encryption at Rest (Server-Side Encryption)

• SSE-S3: S3 managed keys using AES-256 bit encryption
• SSE-KMS (Key Management Service managed keys)
• SSE-C: Customer provided keys

3. Encryption at Rest: Client Side encryption

• Encrypt before uploading it.

Done by `x-amz-server-side-encryption` header in PUT request

Prefixes = simply folders inside the bucket

• uniqueBucket/2023/January/1, etc
• speed: 3500 rps WRITE, 5500 for READ
• performance is better if more prefixes, uniqueBucket/2023/January/1 is better than uniqueBucket/2023 and all months info is in 2023

Pricing models:

Spot fleet — collection of spot (and sometimes on-demand) instances. Selects the Spot capacity pools that meet your needs

Multiple pools can be defined, according to instance types, OS, AZ, to let the fleet choose the most optimal way for defined strategy:

1. price-capacity-optimized

• recommended
• the fleet identifies the highest capacity availability and then requests the lowest priced of these pools

2. capacity-optimized

• the fleet identifies the highest capacity availability, optimizes for capacity first

3. diversified

• distributed across all Spot capacity pools

4. lowest-price

• default one
• instances come from the lowest-priced pool

5. InstancePoolsToUseCount

• valid if the strategy set to the `lowest-price`
• the fleet attempts to draw instances from the number of pools that you specify.

Security Groups (SG):

• All inbound traffic in security groups is blocked by default, use 0.0.0.0/0 to allow it.
• All outbound is allowed by default (think of it like AWS is secure to take something in, but allowed to use everything from out).
• Rule changes are applied immediately, like IAM roles.
• No blacklisting with SG.

Roles can be attached/detached to running EC2, no need to stop it.

Virtual Networking Cards:

• can be attached to EC2 instance

Always choose Elastic Network Adapter over Virtual Function.

Placement Groups:

Logical grouping of instances in selected AWS Regions.

• merging placement groups is not possible
• use hom*ogenous instances within a cluster placement groups
• to move an existing instance into a placement group, stop it first.

Block-level storage volumes for use with EC2 instances [2].

let the information from the picture stay in your mind like EBS is attached to EC2 in the same AZ.

• at least one volume per EC2 instance is present — root device volume.
• automatically replicated within a single AZ.
• not encrypted by default
• cannot be encrypted on the fly, instead, do it with Snaphots

Capacity and volume type can be dynamically increased

• without detaching them
• with no performance impact.

EBS Snapshots:

EBS is a virtual disc, a snapshot is a photo of a disc.

• it gets that state of Volume
• incremental (only what is added)
• snapshot encryption = volume encryption
• you can add encryption later for even an unencrypted snapshot
• encrypted snapshots are encrypted automatically. I suggest you try it out yourself to understand the steps needed for encryption, here is an amazing article for it.
• to snap the root, stop the instance
• Amazon Data Lifecycle Manager can be used in automating snapshots.

AMI, Amazon Machine Images

Virtual machines image of EC2.

Types:

1. EBS, created from an Amazon EBS snapshot, can be stopped. No data loss on instance stop.
2. Instance Store = Ephemeral, created from a template stored in S3, cannot be stopped. Data is lost if underlying host fails.

For both of them:

• data is not lost when rebooting
• ROOT volumes are deleted on termination (by default, can be adjusted).

EBS hibernation (suspend-to-disk)

• saves the RAM’s content to EBS root, and freezes all running processes prior to it.
• more costly and faster
• no need to reload the OS
• instance RAM > 150 Gb (must be less)
• max 60 days
• for on-demand and reserved instances

EFS:

Let the information from the graph stay in your mind as FS works with EC2 instances in multi-AZ.

• EFS loves multi-AZ.
• Linux only!
• supports NFS v4
• pay for the storage you use only
• scales automatically
• scale to Petabytes!
• data stored across multiple AZ
• ↑ $ but ↑ Available and Scalable
• distributed, ↑ resilient
• READ and WRITE consistency
• encryption at rest (KMS)

FSx for Windows:

• Windows-based
• Sharepoint
• MS SQL
• SMB

FSx for Lustre:

• ↑ speed and capacity
• HPC
• financial modeling, ↑ performance computing, ML
• can store on S3

AWS Backup:

• $ effective
• backup for EC2, EBS, EFS, FSx for Windows, and Lustre.

To back up AWS services across multiple AWS accounts → AWS Backup + AWS Organizations.

This is it for part I. Stay tuned for the remaining parts. Hope you enjoyed reading it! 🤞

Open to your comments and suggestions in comments 📝.
And feel free to contact me on LinkedIn as well.

Let me know if you want me to add new details, or to expand existing ones.

Check out our Insider Engineering Blog for more solutions needed in real-life:

• Sync Autotuner Reduced Our EMR Cost by 25%
• Simple Ways of Optimizing Your AWS Cost
• Managing Deployment Cycles for Hundreds of Repositories

Abbreviations, symbols, and appendix:

AZ — Availability Zone

HPC — High-Performance Computing

↑ — high

↓$ — low cost

↑ $ — high cost

↑ $$$ — the most expensive

↓$$$ — the lowest cost

References:

[1] “Don’t FAIL AWS Certified Solutions Architect Associate (SAA-C03)!!!,” Certwizard, Nov. 01, 2022. https://certwizard.com/blog/dont-fail-aws-solutions-architect-test#:~:text=The%20AWS%20Certified%20Solutions%20Architect

[2] “Amazon Elastic Block Store (Amazon EBS) — Amazon Elastic Compute Cloud,” docs.aws.amazon.com. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html