General Exam Tips
- 1.Read ALL four answer choices before selecting — AWS questions are written to make the first plausible-sounding option feel right. The correct answer is often the last one you read.
- 2.For multiple-response questions, the prompt tells you exactly how many answers to select (e.g., 'Select TWO'). Never guess the count — it's always stated.
- 3.When two answers both seem correct, ask yourself: which one is MORE specific to what the question is asking? Eliminate answers that are technically true but don't address the scenario.
- 4.Flag hard questions and move on immediately. With 65 questions in 90 minutes, you have about 1.4 minutes per question. Burning 4+ minutes on a single question costs you questions you could have answered easily.
- 5.There are unscored pilot questions (around 15) you won't be able to identify. Treat every question seriously — don't assume any question is a freebie.
- 6.Eliminate obviously wrong answers first. AWS exam distractors are usually clearly out of scope (e.g., suggesting a service that does the complete opposite of what's needed).
- 7.If a question mentions 'compliance audit,' 'who made API calls,' or 'account activity,' the answer almost always involves CloudTrail, not CloudWatch.
- 8.Questions about 'cost savings with committed usage' are about Reserved Instances or Savings Plans — not Spot Instances, which is for interruptible workloads.
- 9.Do a system technical check at least 30 minutes before the exam if taking it online proctored — the automodedetect error in OnVue has tripped up real test-takers.
- 10.Aim for 80%+ on practice exams before scheduling. The real exam is slightly harder than most free practice tests.
Quick Navigation
Cloud Technology and Services
Must-Know Facts
- EC2 is IaaS — you manage the OS, patching, and applications. AWS manages the hypervisor and physical hardware.
- Lambda is event-driven and serverless — you pay per invocation and per 1ms of execution time. No servers to manage. Hard limit: 15 minutes max execution time.
- EBS volumes are block storage tied to a single AZ. They cannot span Availability Zones. Snapshots can be copied across AZs and Regions.
- EFS provides shared file storage mountable by multiple EC2 instances simultaneously across AZs. EBS can only attach to one instance at a time (with exceptions for multi-attach).
- S3 is object storage accessed via API. It is NOT a file system and cannot be used to install or run an OS.
- RDS manages the OS, DB engine patching, and automatic backups. You still own the data, schema, and IAM access to the database.
- DynamoDB is fully serverless NoSQL with single-digit millisecond latency. It scales automatically and has no schema requirement.
- Regions contain multiple Availability Zones. AZs are isolated data centers within a Region. Edge Locations are separate from Regions/AZs and are used only for CloudFront and Route 53.
- NAT Gateway allows private subnet EC2 instances to make outbound internet connections (e.g., download updates) without being reachable from the internet.
- CloudFront is a CDN that caches content at edge locations. It does NOT host content — it distributes content from an origin (S3, EC2, ALB).
- Elastic Beanstalk is PaaS — you upload code and it handles provisioning, load balancing, auto-scaling. You still have access to the underlying EC2 instances.
- Auto Scaling scales OUT (adds more instances) horizontally. Scaling UP (bigger instance = vertical scaling) requires stopping and resizing — it is NOT what Auto Scaling does by default.
Common Traps
Confusing Pairs
Scenario Tips
Question mentions 'company wants to run workloads without managing servers' or 'serverless compute'
Lambda (for event-driven short tasks) or Fargate (for containers without managing EC2). Both are serverless. Lambda = code functions. Fargate = container workloads.
EC2 is a common wrong answer — it requires managing the OS and cannot be called 'serverless.'
Question asks which service to use to host a static website with global low latency
S3 for static hosting + CloudFront for global distribution. S3 alone is the origin; CloudFront caches it at edge locations.
EC2 is a distractor — it works for hosting but is more expensive and not inherently global.
Question asks about a database for 'millions of IoT events per second' or 'flexible schema at massive scale'
DynamoDB — it's designed for single-digit millisecond latency at any scale with flexible or no schema.
RDS is wrong — relational databases don't scale horizontally the same way and require a fixed schema.
Question describes 'users worldwide experiencing high latency' and asks how to improve performance
CloudFront if content is cacheable (static assets). Route 53 with latency-based routing if it's dynamic regional routing. Both use global infrastructure.
Placing EC2 in more AZs within one Region is wrong — AZs within a Region are geographically close; this doesn't help users on the other side of the world.
Question asks how to allow EC2 instances in a private subnet to download patches from the internet
NAT Gateway in a public subnet. Private subnet instances route outbound traffic through the NAT Gateway. The internet cannot initiate connections back.
Internet Gateway alone is wrong — IGW is for public subnets. Private subnet instances cannot use an IGW directly.
Last-Minute Facts
Security and Compliance
Must-Know Facts
- Shared Responsibility Model: AWS owns security OF the cloud (physical, network, hypervisor, managed service software). You own security IN the cloud (data, IAM, OS patching on EC2, encryption choices, firewall rules).
- For managed services like RDS, AWS also owns OS and DB engine patching. For EC2, you own OS patching. The line shifts based on the service abstraction level.
- IAM best practices: enable MFA everywhere, use roles instead of long-term credentials (users), never use root account for daily operations, apply least privilege.
- IAM Roles provide temporary credentials — no passwords or long-term access keys. Services, applications, and cross-account access should use roles.
- SCPs (Service Control Policies) in AWS Organizations restrict what member accounts CAN do — they do NOT grant permissions. Even if an IAM policy allows an action, an SCP can block it.
- GuardDuty = threat detection using ML (analyzes VPC Flow Logs, CloudTrail events, DNS logs). Inspector = vulnerability assessment for EC2, Lambda, and containers. Macie = PII/sensitive data discovery in S3.
- Shield Standard is free and automatic for all AWS accounts — it protects against common L3/L4 DDoS attacks. Shield Advanced costs money and adds a 24/7 DDoS Response Team.
- WAF (Web Application Firewall) filters HTTP/HTTPS at L7 — blocks SQL injection, XSS, IP rules. Attaches to CloudFront, ALB, or API Gateway.
- AWS Artifact is the self-service portal for downloading AWS compliance reports (SOC 1/2/3, PCI DSS, ISO certifications). Free to access.
- CloudTrail logs API activity by default for 90 days in Event History. To retain beyond 90 days, create a Trail that writes to S3.
Common Traps
Confusing Pairs
Scenario Tips
Question asks 'who is responsible for patching the operating system on Amazon EC2 instances?'
The customer. EC2 is IaaS — AWS provides the virtualized hardware but the guest OS is entirely the customer's responsibility.
AWS is a wrong answer — AWS only patches the OS for fully managed services like RDS, not for EC2.
Question asks 'who is responsible for patching the database engine on Amazon RDS?'
AWS. RDS is a managed service — AWS handles OS and database engine patching. The customer controls the data and access configuration.
The customer is wrong for RDS — this is the key distinction between EC2 + self-managed DB (customer patches) vs RDS (AWS patches).
Question describes 'an EC2 instance needs to call DynamoDB without hardcoding access keys in code'
Assign an IAM Role to the EC2 instance. The role provides temporary credentials automatically via the EC2 instance metadata. No access keys needed.
Creating an IAM User and embedding the access key in the application is the wrong, insecure approach — it's a common trap because it technically works but violates best practices.
Question asks which service monitors for unauthorized API calls, unusual login patterns, and potential compromises
Amazon GuardDuty. It uses ML to detect threats by analyzing CloudTrail logs, VPC Flow Logs, and DNS queries.
CloudWatch is wrong — CloudWatch monitors performance metrics, not security threat behavior patterns.
Question asks how an organization can prove their AWS environment meets PCI DSS compliance for an audit
Use AWS Artifact to download AWS's PCI DSS compliance reports. These are official attestation documents from AWS.
GuardDuty or Config are wrong answers — they help you manage your compliance posture, but they don't provide the official AWS certification documents an auditor needs.
Last-Minute Facts
Cloud Concepts
Must-Know Facts
- Six advantages of cloud computing: (1) Trade capital expense for variable expense, (2) Benefit from massive economies of scale, (3) Stop guessing capacity, (4) Increase speed and agility, (5) Stop spending money running data centers, (6) Go global in minutes.
- AWS Well-Architected Framework has SIX pillars: Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability. Sustainability was added in 2021 — many study materials still list five.
- IaaS vs PaaS vs SaaS: IaaS (EC2, VPC) — you manage OS upward. PaaS (Elastic Beanstalk, RDS) — you manage app and data only. SaaS (Amazon WorkMail, QuickSight) — you manage nothing infrastructure-related.
- Elasticity = automatically scaling resources UP and DOWN based on demand. Scalability = ability to handle growth by adding resources. They are related but not identical.
- High Availability = designing for minimal downtime (multi-AZ). Fault Tolerance = system continues operating even when components fail (stronger than HA).
- Hybrid cloud = combination of on-premises (or private cloud) with public cloud. NOT the same as multi-cloud (using multiple public clouds).
- AWS Cloud Adoption Framework (CAF) has 6 perspectives: Business, People, Governance, Platform, Security, Operations. Used for migration planning, not architecture design.
Common Traps
Confusing Pairs
Scenario Tips
Question asks which cloud advantage eliminates the need to predict server capacity months in advance
Stop guessing capacity (or 'Trade capital expense for variable expense'). The cloud lets you scale instantly, removing the need for upfront capacity planning.
'Go global in minutes' is wrong — that advantage is about geographic expansion speed, not capacity planning.
Question asks which Well-Architected Framework pillar focuses on recovering from failures and meeting demand
Reliability. The Reliability pillar covers disaster recovery, scaling to meet demand, and automatic recovery from failure.
Performance Efficiency is wrong — that pillar is about using resources efficiently, not about recovering from failures.
Question says 'a company needs to maintain data in their existing data center for regulatory reasons but also wants to use AWS'
Hybrid cloud deployment model. Regulated data stays on-premises, while other workloads run in AWS, connected via Direct Connect or VPN.
Private cloud is wrong — private cloud means running everything privately, not a combination of on-premises and public cloud.
Question asks which model requires the customer to manage the OS, patching, and runtime environment
IaaS (Infrastructure as a Service). With EC2, you manage everything from the OS layer up.
PaaS is wrong — PaaS providers manage the OS and runtime, leaving only the application and data to the customer.
Last-Minute Facts
Billing and Pricing
Must-Know Facts
- EC2 pricing models: On-Demand (pay by second/hour, no commitment), Reserved (1 or 3 year commitment, up to 72% savings), Spot (up to 90% savings, can be interrupted with 2-minute warning), Savings Plans (commit to $/hr spend for 1–3 years, applies to EC2 + Lambda + Fargate).
- Reserved Instances: Standard RI (locked to instance family/Region, max savings) vs. Convertible RI (can change instance type/OS, slightly less savings). Both save up to 72%.
- Data transfer pricing: Data IN to AWS is free. Data OUT from AWS to the internet is charged. Data transfer between services in the same Region is often free or very cheap.
- AWS Free Tier has three types: Always Free (Lambda 1M requests/mo, DynamoDB 25GB — never expires), 12 Months Free (EC2 t2.micro 750hr/mo — starts from account creation date), Trials (short-term specific offers).
- Support plans in order: Basic (free) → Developer (~$29/mo) → Business (~$100/mo) → Enterprise On-Ramp → Enterprise (most expensive, dedicated TAM).
- TAM (Technical Account Manager) is only available on Enterprise On-Ramp (shared pool of TAMs) and Enterprise (dedicated TAM) plans.
- AWS Organizations enables consolidated billing — multiple accounts roll up to one bill, and combined usage can unlock volume discount tiers that individual accounts wouldn't qualify for.
- Cost Explorer analyzes past and current spending with visualizations. AWS Budgets sets thresholds and sends alerts for future/forecasted spending.
Common Traps
Confusing Pairs
Scenario Tips
Question asks about the most cost-effective option for predictable, steady-state workloads running 24/7 for the next 3 years
Reserved Instances (1 or 3 year) or Savings Plans. Both offer up to 72% savings. Choose Savings Plans if the question emphasizes flexibility across instance types or services.
Spot Instances are wrong for steady-state production workloads — they can be interrupted. On-Demand is wrong — it's the most expensive option with no discount.
Question asks which service lets you receive an email when your monthly bill is projected to exceed $200
AWS Budgets. You create a budget threshold and configure an SNS alert to email you when actual or forecasted cost approaches or exceeds the limit.
Cost Explorer is wrong — it shows you spending data but does not send proactive alerts. CloudWatch is wrong — it monitors infrastructure metrics, not billing thresholds (though AWS does have billing alarms in CloudWatch, Budgets is the cleaner exam answer).
Question asks which support plan includes a Technical Account Manager (TAM) and proactive architectural reviews
Enterprise Support (dedicated TAM) or Enterprise On-Ramp (pool of TAMs). If the question says 'dedicated TAM,' it must be Enterprise.
Business Support is wrong — it has no TAM, only access to Cloud Support Engineers.
Question asks about EC2 pricing for a workload that runs only for a few hours each weekend and cannot be interrupted
On-Demand Instances. Short duration, infrequent, and must not be interrupted rules out Spot (interruptible) and Reserved (long-term commitment for a job that barely runs).
Reserved Instances are wrong — they save money only when usage is consistent and heavy. Paying for a 1-year RI for a workload that runs only weekends wastes money.