AWSSAA-C0375 concepts

SAA-C03 Cheat Sheet

Quick reference for the AWS Certified Solutions Architect – Associate exam.

Quick Navigation

VPC & Networking EC2 & Auto Scaling Load Balancing S3 Deep Dive Database Services Serverless Security & IAM High Availability & Disaster Recovery Storage & Migration Monitoring & Cost Optimization Caching & Content Delivery Decoupling & Event-Driven Architecture

VPC & Networking

VPC CIDR Range: VPC supports IPv4 CIDR blocks from /16 (65,536 IPs) to /28 (16 IPs). Subnets must be within the VPC CIDR. AWS reserves 5 IPs per subnet (first 4 + last 1).
Public vs Private Subnet: Public subnet: route table has 0.0.0.0/0 → Internet Gateway. Private subnet: route table has 0.0.0.0/0 → NAT Gateway (for outbound internet). NAT Gateway is managed, HA within an AZ; deploy one per AZ for full HA.
VPC Peering vs Transit Gateway: VPC Peering: 1-to-1, non-transitive, low latency, no bandwidth limit. Transit Gateway: hub-and-spoke, connects many VPCs/on-prem, supports transitive routing, multicast; use when managing 3+ VPCs.
VPC Endpoints — Gateway vs Interface: Gateway Endpoint: free, modifies route table, supports only S3 and DynamoDB, within same Region. Interface Endpoint (AWS PrivateLink): ENI in your subnet, costs per hour + per GB, supports 100+ services, works across accounts within the same Region.
AWS PrivateLink: Expose your service to other VPCs without VPC peering or exposing to the internet. Requires a Network Load Balancer on the provider side and an Interface VPC Endpoint on the consumer side.
NAT Gateway vs NAT Instance: NAT Gateway: managed, scales to 100 Gbps, no patching, HA per AZ, no security group, billed per hour + per GB. NAT Instance: self-managed EC2, can be used as bastion, lower cost for small traffic, must disable source/dest check.
Direct Connect vs Site-to-Site VPN: Direct Connect: dedicated private connection, 1–100 Gbps, consistent latency, not encrypted by default (use MACsec or VPN over DX). Site-to-Site VPN: IPsec over public internet, quick setup, up to 1.25 Gbps per tunnel. Use VPN as backup for DX.

EC2 & Auto Scaling

Instance Type Families: General (M, T): balanced CPU/RAM. Compute Optimized (C): high CPU, batch/ML. Memory Optimized (R, X, z): large in-memory workloads. Storage Optimized (I, D, H): high IOPS NVMe or dense HDD. Accelerated (P, G, Inf): GPU/ML. T-series supports CPU credits (burstable).
Placement Groups: Cluster: same AZ, same rack — lowest latency, 10 Gbps enhanced networking, high failure risk. Spread: different hardware across AZs — max 7 instances per AZ per group, best HA. Partition: isolated partitions per AZ — Hadoop/Kafka/Cassandra, up to 7 partitions per AZ.
Launch Template vs Launch Configuration: Launch Template: supports versioning, mixed instance types, Spot+On-Demand, T2/T3 unlimited, newer features. Launch Configuration: legacy, no versioning, no mixed types. Always prefer Launch Templates for new ASGs.
ASG Scaling Policies: Target Tracking: maintain a metric at a target (e.g., CPU at 50%) — simplest, recommended. Step Scaling: scale by defined increments based on CloudWatch alarm breach magnitude. Scheduled: scale at a known time. Predictive: ML-based, pre-scales based on historical load patterns.
EC2 Purchasing Options: On-Demand: pay per second, no commitment. Reserved (1–3 yr): up to 72% discount, Standard (no change) or Convertible (can change type). Savings Plans: flexible, commit to $/hr. Spot: up to 90% off, interruptible with 2-min warning. Dedicated Host: physical server, compliance/licensing.
Instance Store vs EBS: Instance Store: physically attached NVMe, extremely fast, ephemeral (lost on stop/terminate), no additional cost. EBS: network-attached, persistent, detachable, snapshotted to S3. Use instance store for temporary buffers, scratch data, or cache.

Load Balancing

ALB vs NLB vs GLB: ALB (Application): Layer 7 HTTP/HTTPS/gRPC, content-based routing (path/host/header/query), WebSocket, WAF integration. NLB (Network): Layer 4 TCP/UDP/TLS, millions of RPS, static IP/Elastic IP, lowest latency, preserve source IP. GLB (Gateway): Layer 3 GENEVE, inspects traffic via third-party appliances (firewalls, IDS/IPS).
Health Checks: All LBs perform health checks on registered targets. ALB checks HTTP response codes (default 200). NLB checks TCP connection or HTTP/HTTPS. Unhealthy targets are taken out of rotation. Configure interval, threshold, and timeout appropriately.
Sticky Sessions (Session Affinity): ALB: application-based (app sets cookie) or duration-based (LB generates cookie). NLB: source-IP stickiness available but disabled by default; TCP flow hashing is not the same as session stickiness. Stickiness can cause uneven load distribution; use sparingly or externalize session state to ElastiCache/DynamoDB.
Cross-Zone Load Balancing: Distributes traffic evenly across all registered targets in all enabled AZs. ALB: default on; can be overridden at target group level since 2023, no charge. NLB/GLB: disabled by default, charged for inter-AZ data transfer when enabled. Prevents AZ imbalance when instance counts differ per AZ.
Connection Draining / Deregistration Delay: Allows in-flight requests to complete before deregistering a target. Default: 300 seconds (range: 0–3600). Set to 0 for Lambda targets or short-lived connections. Set lower for stateless apps, higher for long-running connections.
ALB Routing Rules: Forward to target group, redirect (HTTP→HTTPS), fixed response (503 maintenance), authenticate (Cognito/OIDC). Conditions: host header, path, HTTP method, query string, source IP, HTTP headers. Rules evaluated in priority order; default rule is the catch-all.

S3 Deep Dive

S3 Storage Classes: Standard: frequent access, ms latency, 3 AZs. Standard-IA: infrequent, ms latency, retrieval fee, min 30-day charge. One Zone-IA: single AZ, 20% cheaper, for re-creatable data. Intelligent-Tiering: auto-moves between tiers, monitoring fee. Glacier Instant: ms retrieval, min 90 days. Glacier Flexible: 1–5 min to 12 hr retrieval, min 90 days. Glacier Deep Archive: 12–48 hr, min 180 days, cheapest.
S3 Replication (CRR vs SRR): Cross-Region Replication (CRR): compliance, lower latency for global users, cross-account. Same-Region Replication (SRR): log aggregation, live replication between prod/test. Requirements: versioning must be enabled on source and dest. Replicated asynchronously. Delete markers not replicated by default.
S3 Encryption: SSE-S3: AWS-managed AES-256 keys, header x-amz-server-side-encryption: AES256, no extra cost. SSE-KMS: customer controls key policy, audit via CloudTrail, header: aws:kms, KMS API call costs apply. SSE-C: customer provides key in request header, AWS does not store key. Client-side: encrypt before upload.
Versioning & Lifecycle: Versioning: once enabled, cannot be fully disabled (only suspended). Protects against accidental deletes (delete marker). Lifecycle rules: transition objects between storage classes based on age (e.g., Standard → IA after 30 days → Glacier after 90 days). Can expire versions and delete incomplete multipart uploads.
Presigned URLs: Grants temporary access to a private S3 object without changing bucket policy. Signed with IAM credentials of the requester. Default expiry: 3,600 seconds (max 7 days with IAM user credentials; with IAM role temporary credentials, URL expires when the session token expires). Use for: download links for authenticated users, upload without exposing credentials.
S3 Transfer Acceleration: Speeds up uploads by routing through CloudFront edge locations via optimized AWS backbone. Best for large files (>1 GB) from distant geographic locations. Enabled per bucket; uses accelerate endpoint: bucketname.s3-accelerate.amazonaws.com. Additional per-GB charge only when faster than standard.
S3 Performance: 3,500 PUT/COPY/POST/DELETE and 5,500 GET/HEAD requests per second per prefix. Use multiple prefixes to parallelize. Multipart upload recommended for files >100 MB, required >5 GB. S3 Byte-Range Fetches: parallelize GETs. S3 Batch Operations: bulk operations on billions of objects.

Database Services

RDS Multi-AZ vs Read Replicas: Multi-AZ: synchronous standby replica in another AZ, automatic failover (60–120 sec), same Region, used for HA (not performance). Read Replicas: asynchronous replication, up to 15 replicas, cross-Region supported, can be promoted to standalone DB. Read Replicas reduce read load; Multi-AZ reduces downtime.
Aurora Architecture: Storage auto-scales 10 GB to 128 TB. 6 copies of data across 3 AZs (4/6 for writes, 3/6 for reads). Up to 15 low-latency read replicas. Aurora Global Database: 1 primary Region + up to 5 secondary Regions, sub-second replication, <1 sec RPO. Failover in <1 min within Region. Aurora Serverless v2: scales in fine-grained increments, ideal for variable workloads.
DynamoDB Capacity Modes: Provisioned: specify RCUs/WCUs, supports auto-scaling, predictable cost, can use Reserved Capacity. On-Demand: pay per request, no capacity planning, 2× cost of provisioned at peak. 1 RCU = 1 strongly consistent read of 4 KB/s or 2 eventually consistent reads. 1 WCU = 1 write of 1 KB/s.
DynamoDB DAX & Global Tables: DAX: in-memory cache cluster, microsecond latency for reads, write-through, API-compatible but requires using DAX client/endpoint. Global Tables: multi-Region, multi-active replication, last-writer-wins conflict resolution; requires on-demand or auto-scaling. DynamoDB Streams: ordered item-level changes, 24-hr retention, triggers Lambda.
ElastiCache: Valkey/Redis OSS vs Memcached: Valkey/Redis OSS: supports persistence, replication, read replicas, cluster mode (sharding), Sorted Sets/Lists/Geospatial, pub/sub, Lua scripting. HA with Multi-AZ + automatic failover. Memcached: pure cache, multi-threaded, no replication/persistence, simpler. Choose Valkey/Redis OSS for session store, leaderboards, queues; Memcached for pure object caching with horizontal scaling.
RDS Proxy: Fully managed connection pooler for RDS and Aurora. Reduces database connections (critical for Lambda which creates new connections per invocation). Improves resilience — failover time reduced by up to 66%. Enforces IAM authentication. Serverless, auto-scales.

Serverless

Lambda Limits & Concurrency: Max execution: 15 minutes. Max memory: 10,240 MB (10 GB). Ephemeral /tmp storage: up to 10,240 MB. Deployment package: 50 MB zipped, 250 MB unzipped (use Lambda layers). Default concurrency: 1,000 per Region (soft limit). Reserved concurrency: guarantees capacity and acts as throttle ceiling. Provisioned concurrency: pre-initializes instances to eliminate cold starts.
API Gateway Types: REST API: full features (usage plans, API keys, request transformation, caching). HTTP API: lower latency, cheaper (70% less), JWT auth, Lambda proxy; fewer features. WebSocket API: bidirectional, real-time apps (chat, games). Edge-Optimized: CloudFront global distribution. Regional: same-Region clients, can combine with own CloudFront.
Step Functions: Orchestrates Lambda and 200+ AWS services using state machines. Standard Workflow: up to 1 year, exactly-once, auditable history, higher cost. Express Workflow: up to 5 minutes, at-least-once (async) or at-most-once (sync), high event rate, lower cost. Use for: ETL pipelines, order processing, human approvals.
SQS vs SNS vs EventBridge: SQS: pull-based queue, decouples producers/consumers, message retention up to 14 days, fan-out requires SNS. SNS: push-based pub/sub, up to 12.5M subscribers, fan-out to SQS/Lambda/HTTP/email. EventBridge: event bus, rich filtering on event content, 200+ AWS sources, SaaS integration, scheduled events via cron/rate rules. EventBridge is SNS evolution for complex routing.
Lambda Invocation Types: Synchronous (RequestResponse): caller waits for result — API Gateway, Cognito, Alexa. Asynchronous (Event): Lambda retries up to 2× on error, DLQ supported — S3, SNS, EventBridge. Polling (Event Source Mapping): Lambda polls SQS, Kinesis, DynamoDB Streams, MSK — batch processing, bisect on error.
Lambda@Edge vs CloudFront Functions: Lambda@Edge: runs at 13 CloudFront regional edge locations, Node.js/Python, up to 5 sec (viewer) / 30 sec (origin), 128 MB (viewer requests) / 10,240 MB (origin requests), access to request/response body. CloudFront Functions: runs at 450+ POPs, JavaScript only, sub-millisecond, 2 MB memory, no body access, cheapest. Use CloudFront Functions for URL rewrites/redirects; Lambda@Edge for complex auth or A/B testing.
ECS vs EKS: ECS = AWS-native container orchestration (simpler). EKS = managed Kubernetes (portable, complex). Both support Fargate (serverless, no EC2 management) or EC2 launch type (more control).

Security & IAM

IAM Policy Evaluation Logic: Evaluation order: 1) Explicit Deny (always wins). 2) Organizations SCP — if SCP denies, stop. 3) Resource-based policy — grants access without identity-based policy needed (same account). 4) Identity-based policy (permissions boundary limits max). 5) Session policies. 6) Default: implicit deny. Cross-account: BOTH resource-based and identity-based policies must allow.
Resource Policies vs Identity Policies: Identity Policy: attached to IAM user/role/group, defines what the principal CAN do. Resource Policy: attached to resource (S3 bucket, SQS, KMS), defines who can access it. Resource policies allow cross-account access without assuming a role. S3 bucket policy is a resource policy; IAM role policy is identity policy.
KMS Key Types: AWS Managed Keys: free, auto-rotated every year, cannot change policy, key ID: aws/service. Customer Managed Keys (customer managed KMS key): $1/month, custom rotation (optional annual), full key policy control. Customer-Provided Keys (SSE-C / import): you manage key material outside KMS, no KMS charges but higher operational overhead. Multi-Region Keys: same key material in multiple Regions.
Secrets Manager vs SSM Parameter Store: Secrets Manager: designed for secrets, automatic rotation via Lambda (RDS/Redshift natively), cross-account sharing, $0.40/secret/month + $0.05 per 10K API calls. SSM Parameter Store: Standard free (4 KB, no rotation), Advanced ($0.05/param/month, 8 KB, policies). Use Secrets Manager for DB credentials with rotation; SSM for configuration/non-secret parameters.
Security Groups vs NACLs: Security Groups: stateful (return traffic auto-allowed), instance/ENI level, allow rules only, evaluated as a set (all rules). NACLs: stateless (must explicitly allow return traffic), subnet level, allow and deny rules, rules evaluated in number order (lowest first), default NACL allows all. NACLs are the first line of defense at the subnet boundary.
IAM Roles & STS: Roles provide temporary credentials via STS AssumeRole. Key use cases: EC2 instance profile (app accesses AWS services), cross-account access, federated identity (SAML/OIDC/Cognito), service-to-service. STS tokens include: AccessKeyId, SecretAccessKey, SessionToken, Expiration. Trust policy defines who can assume the role.
AWS WAF & Shield: WAF: web application firewall, Layer 7, attach to ALB/CloudFront/API Gateway/AppSync. Rules: IP sets, geo-match, rate-based, SQL injection, XSS, custom regex. Managed rule groups available. Shield Standard: free DDoS protection at Layer 3/4 for all AWS customers. Shield Advanced: $3,000/month, Layer 7 DDoS, 24/7 DRT, cost protection.
IAM Identity Center: Centralized SSO for multi-account access. Assign permission sets to users/groups across AWS Organizations accounts. Supports SAML 2.0 federation with external IdPs like Microsoft Entra ID.

High Availability & Disaster Recovery

DR Strategies (RPO/RTO): Backup & Restore: hours RPO/RTO, lowest cost, data backed up to S3. Pilot Light: core services replicated (DB sync), minutes–hours RTO, minimal running resources. Warm Standby: scaled-down fully functional environment, minutes RTO. Active-Active (Multi-Site): near-zero RPO/RTO, full capacity in multiple Regions, highest cost.
Route 53 Routing Policies: Simple: single resource, no health checks. Weighted: distribute traffic by percentage (A/B testing, gradual migration). Latency: route to lowest-latency Region. Failover: active-passive, health check required. Geolocation: route by user's geographic location. Geoproximity: route by resource location + bias. Multi-Value: up to 8 healthy records returned (not a substitute for LB).
Route 53 Health Checks: Monitor endpoints (HTTP/HTTPS/TCP), other health checks (calculated), or CloudWatch alarms. Health checks from 15 global AWS locations. Interval: 30 sec (standard) or 10 sec (fast, higher cost). Integration: trigger SNS notifications, control failover routing. Private endpoints: must use CloudWatch alarm-based health checks.
Multi-AZ Architecture Pattern: Deploy resources across minimum 2 AZs (3 recommended). Use ALB/NLB to distribute traffic. ASG spans multiple AZs. RDS Multi-AZ for automatic DB failover. ElastiCache Multi-AZ with replication groups. EFS: automatically replicated across AZs. Architect for at least one AZ failure without service interruption.
AWS Backup: Centralized backup service across EC2, EBS, RDS, Aurora, DynamoDB, EFS, FSx, Storage Gateway, S3. Backup plans: schedule, lifecycle, retention. Cross-Region and cross-account backup for compliance. Backup Vault Lock: WORM protection, immutable backups even from root. Integrates with Organizations for org-wide policy.

Storage & Migration

EBS Volume Types: gp3 (SSD): baseline 3,000 IOPS / 125 MiB/s, up to 16,000 IOPS / 1,000 MiB/s independently, cost-effective default. gp2 (SSD): IOPS tied to size (3 IOPS/GB, burst to 3,000), being replaced by gp3. io2 Block Express: up to 256,000 IOPS, 4,000 MiB/s, 99.999% durability, multi-attach, for mission-critical DBs. st1 (HDD): throughput-optimized, max 500 MiB/s, big data/Kafka. sc1 (HDD): cold, max 250 MiB/s, lowest cost, infrequent access.
EFS vs FSx: EFS: NFS v4, Linux-only, scales automatically, multi-AZ, 3 throughput modes (Bursting/Elastic/Provisioned), storage classes (Standard/IA), per-GB pricing. FSx for Windows: SMB protocol, Active Directory integration, Windows workloads. FSx for Lustre: high-performance parallel FS, ML/HPC, integrates with S3. FSx for ONTAP: multi-protocol, snapshots, SnapMirror. FSx for OpenZFS: NFS/SMB, low latency.
AWS Storage Gateway: S3 File Gateway: NFS/SMB to S3, local cache for frequently accessed data. FSx File Gateway: SMB to FSx for Windows, local cache (unavailable to new customers). Volume Gateway (Stored): entire dataset on-prem, async backup to S3 as EBS snapshots. Volume Gateway (Cached): primary data in S3, low-latency cache on-prem. Tape Gateway: virtual tape library to S3/Glacier.
AWS Snow Family: Snowcone: 8 TB HDD / 14 TB SSD, smallest, ruggedized, DataSync agent included. Snowball Edge Storage: 80 TB usable, up to 10 Gbps NIC, bulk data transfer. Snowball Edge Compute: 42 TB + EC2 + Lambda, edge compute in disconnected environments. Snowmobile: 100 PB, shipping container, for exabyte-scale migration (>10 PB, prefer Snowmobile).
AWS DMS & MGN: DMS (Database Migration Service): migrate databases to AWS with minimal downtime. Supports homogeneous (Oracle→Oracle) and heterogeneous (Oracle→Aurora using Schema Conversion Tool). Continuous replication available. MGN (Application Migration Service): lift-and-shift physical/virtual/cloud servers to AWS EC2. Replicates disks continuously, minimal cutover window. Replaces SMS (Server Migration Service).
AWS DataSync: Online data transfer service: NFS/SMB on-prem or inter-cloud → S3/EFS/FSx. Encrypted in transit, data integrity verification. Up to 10× faster than open-source tools. Scheduled or one-time tasks. Agent deployed on-prem or in cloud. Use for migration, replication, and data processing workflows.

Monitoring & Cost Optimization

CloudWatch Components: Metrics: time-series data, default namespace per service, 1-min (detailed monitoring, extra cost) or 5-min. Alarms: trigger SNS/Auto Scaling/EC2 actions on metric threshold. Logs: collect from EC2 (agent), Lambda, API Gateway, VPC Flow Logs; Log Insights for querying. Dashboards: cross-Region, cross-account. Contributor Insights: identify top N contributors to log patterns.
CloudTrail: Audit log of all API calls (who did what, when, from where). Management events: enabled by default, control-plane ops (CreateInstance, DeleteBucket). Data events: object-level S3 operations, Lambda invocations — must enable explicitly, higher cost. Insights: detect unusual API activity. Trails stored in S3, optionally sent to CloudWatch Logs. Immutable with S3 Object Lock.
AWS Config: Tracks resource configuration changes over time. Managed rules: pre-built compliance checks (e.g., s3-bucket-public-read-prohibited, encrypted-volumes). Custom rules via Lambda. Conformance Packs: bundle of rules for frameworks (PCI DSS, CIS). Remediation: auto-remediate via SSM Automation. Does not prevent changes — records and evaluates.
Savings Plans vs Reserved Instances: Reserved Instances (RI): commit to specific instance family/Region/OS/tenancy for 1 or 3 years. Standard RI: up to 72% off, no modification. Convertible RI: up to 66% off, can change attributes. EC2 Savings Plans: 1 or 3 yr commitment on $/hr, flexible across size/OS/tenancy within a family+Region. Compute Savings Plans: flexible across family/Region/OS — best flexibility, up to 66% off.
Cost Explorer & Compute Optimizer: Cost Explorer: visualize spend by service/tag/account, 13 months historical, 12-month forecast, RI/Savings Plans recommendations. Compute Optimizer: analyzes CloudWatch metrics for EC2, Lambda, EBS, ECS on Fargate, Auto Scaling Groups — recommends right-size. Requires opt-in. Enhanced infrastructure metrics: 3 months data ($0.0003/resource/hr).
Trusted Advisor: Automated best-practice checks across 5 pillars: Cost Optimization, Performance, Security, Fault Tolerance, Service Limits. Free tier: 7 core checks (security groups, S3 public buckets, MFA on root, EBS snapshots, IAM use). Business/Enterprise support: all checks + APIs + EventBridge integration + priority recommendations.

Caching & Content Delivery

CloudFront Key Concepts: CDN with 450+ POPs (edge locations) + 13 regional edge caches. Supported origins: S3, ALB, EC2, any HTTP endpoint. Cache behavior: path patterns routed to different origins. TTL controlled by Cache-Control/Expires headers or CloudFront policy. Geo-restriction: allowlist/blocklist by country. HTTPS: ACM certificate (must be in us-east-1 for CloudFront).
CloudFront Origin Access Control (OAC): Successor to Origin Access Identity (OAI). Restricts S3 bucket access to CloudFront only. Supports SSE-KMS encrypted S3 buckets and all S3 operations. Apply bucket policy to allow CloudFront service principal. Recommended approach: do NOT make S3 bucket public when using CloudFront.
ElastiCache Caching Strategies: Lazy Loading (Cache-Aside): read from cache; on miss, read DB and populate cache. Cache can become stale; add TTL to mitigate. Write-Through: write to DB and cache simultaneously. Cache always up-to-date but write penalty + cache churn (data written but never read). Combine: write-through for critical data + TTL for stale data removal.
Global Accelerator: Uses AWS global network (Anycast static IPs → edge locations → AWS backbone) for non-HTTP use cases or when static IPs are required. Provides 2 static Anycast IPs globally. Supports TCP/UDP, weighted endpoint routing, health checks with instant failover (<30 sec). Unlike CloudFront (caches content), Global Accelerator proxies to your actual endpoint — good for APIs, gaming, IoT, VoIP.
CloudFront vs Global Accelerator: CloudFront: HTTP/HTTPS caching CDN, reduces origin load, best for static assets and dynamic web content. Global Accelerator: no caching, TCP/UDP, static IPs, 60% faster TCP by routing over AWS backbone, best for non-cacheable content requiring consistent low latency or when static IP is a firewall requirement.

Decoupling & Event-Driven Architecture

SQS Standard vs FIFO: Standard: unlimited throughput, at-least-once delivery, best-effort ordering. FIFO: exactly-once processing, ordered within message group, 300 TPS (3,000 with batching), deduplication (5-min window). FIFO queue name must end in .fifo. Use FIFO for financial transactions, order processing where order and dedup matter.
SQS Visibility Timeout & DLQ: Visibility Timeout: after consumer reads a message, it's hidden from other consumers for this duration (default 30 sec, max 12 hr). If not deleted within timeout, message reappears. Set to ~6× Lambda function timeout. Dead Letter Queue (DLQ): after maxReceiveCount failures, message moved to DLQ for debugging. DLQ alarms recommended. DLQ redrive: reprocess messages after fixing the bug.
SNS Fan-Out Pattern: SNS topic publishes to multiple SQS queues, Lambda functions, HTTP endpoints, email, SMS. Fan-out: decouple event producers from consumers, fully parallel processing. SNS FIFO: ordered delivery to SQS FIFO queues, up to 300 publishes/sec. Message Filtering: per-subscription filter policy (JSON), reduces unnecessary processing. SNS + SQS: asynchronous fan-out to buffered consumers.
Amazon EventBridge: Serverless event bus. Default bus (AWS services) + custom buses + partner buses (SaaS: Zendesk, Datadog, etc.). Rules: pattern matching on event content → route to target (Lambda, SQS, Step Functions, 20+ targets). Schema Registry: auto-discovers and documents event schemas. Pipes: point-to-point event enrichment (source → optional filter/enrich → target). EventBridge evolved from CloudWatch Events.
Kinesis Data Streams vs Amazon Data Firehose: Kinesis Data Streams: real-time, 1 ms latency, retain 24 hr–365 days, custom consumers (Lambda/KCL), manual scaling of shards (1 MB/s in, 2 MB/s out per shard). Amazon Data Firehose (formerly Kinesis Data Firehose): near-real-time (60 sec or 1 MB buffer), fully managed delivery to S3/Redshift/OpenSearch/Splunk, auto-scaling, built-in transformation via Lambda.
Kinesis Data Streams Scaling: Each shard: 1 MB/s ingest (1,000 records/sec), 2 MB/s read. Shard splitting: increase capacity. Shard merging: reduce cost. Enhanced Fan-Out: dedicated 2 MB/s per consumer per shard via HTTP/2 push, reduces shared read contention. Partition key determines shard; hot partitions can cause throttling — use random key prefix.

Ready to test yourself?

Start a timed SAA-C03 mock exam or review practice questions by domain.