My CheatSheet I Derived While Preparing for the AWS Solution Architect Associate Exam.

Published in

Insider Engineering

8 min readJul 17, 2023

According to the statistics, given by CertWizard, at most 28% of the AWS SAA-C03 candidates are successful at the first attempt, which leaves a 72% of failure rate [1].

Still, AWS Certificate is a valuable key, that allows you to reach the next level, both in development and knowledge. I really learned a lot while getting ready for the exam, which has indeed broadened my horizons, and got the desired badge.

In this article, I want to share a summary of the training process I’ve derived for myself, with comparison graphs for visualization, that helped me get AWS Certification on the first try.

Note that, you can’t use the cheatsheet during the exam itself.

The exam content outline looks like follows:

AWS Solution Architect Associate Exam Outline

All domains include the interconnected AWS Services work and application. Although A Cloud Guru is the best to arrange the services in order:

IAM and S3
EC2
Databases on AWS
Advanced IAM
Route 53
VPCs
High Availability Architecture
Applications (SQS, SNS, API Gateway)
Security
Serverless

It is not enough for completing the training.

Together with checking the AWS Documentation for terminology and the latest changes, I highly suggest you to check

Tutorials Dojo, and
Udemy

both for courses and practice exams. The lecturers are 6x, and 10x AWS Certified geniuses whom I admire a lot.

It is worth noting that, the exams on the platforms do include many details rather than real AWS exam questions, from my perspective.

Yet, practice is what makes perfect — it was solving these practice exams that was quite beneficial for me, both for understanding the concept of the exam and, again, knowledge. In order to keep up everything in mind and connect different AWS Services with the keywords, I’ve prepared the sheet, which was my right hand throughout the whole process.

So, let’s get started with the cheat sheet itself, I’ll go with the order given above. Since the exam area is too wide, I’ve divided the sheet into parts, this one will be dedicated to the first 4 topics: IAM, S3, EC2, EBS.

Note: if you see any symbol or abbreviation, which is not understandable, please visit Abbreviations, symbols, and Appendix section, at the very end of the page.

1. IAM

A global service allowing AWS customers to manage user access and permissions. Available APIs at

service, and
resource level (sometimes) within AWS — all global, all across available AWS regions.

Tips to protect a root account:

enable MFA (multi-factor authentication)
no use of root user, create an IAM user with access
do not share root-used access keys, disabling or deleting them is better.

Always go for the least privilege principle — only necessary permissions. New users are created with no permissions.

Policies:

AWS managed — standalone, administered by AWS.
Customer managed — standalone, administered by you.
Inline — embedded in an IAM identity (user/group/role), exists only on IAM identity.

Suggested to use managed policies, not inline, to view all policies in the console.

IAM users → authentication, assumed programmatically, credentials do expire.

IAM policies → authorization, attached to user or groups. User is one user only, Group can have many users.

IAM Federation → combine existing user accounts with AWS, uses SAML, Active Directory.

IAM features:

fine-grained access
centralized control of your AWS account

2. S3

Buckets are region-specific, but bucket names are unique and cannot be repeated across all AWS accounts.

S3 object:

{
    key,
    value,
    version id, 
    metadata
}

0 bytes < size < 5 TB,
160 Gb console upload limit, scales automatically on demand. Multi-parts upload recommended for 100Mb, required for >5Gb.

Spread across multiple devices to ensure availability and durability.

Consistency:

read after write
eventual consistency

Features:

lifecycle management, move/delete objects between tiers for cost optimization
versioning, good for back-up, stores writes and deletes, a must for replication.
encryption
MFA
secure, private by default. Server-side encryption, ACLs, Bucket policies.
S3 Object Lock, write 1 time, read X times.

Available tiers:

Standard (↑ $)

high availability & durability
frequent access

2. Standard Infrequent Access (IA)

pay to access data, rapid but infrequent
good as storage, not for everyday use

3. S3 One Zone Infrequent Access

if you don’t worry about redundancy, 1 AZ (Availability Zone)
20% less price than 1st one
good for storing infrequently needed, non-critical data

4. Intelligent Tier

combination of frequent and IA data for cost saving

5. Glacier (↓$)

pay to access data
get data in up to 12 hours

6. Glacier-Deep Archive (↓↓$)

get data in 12 hours

Encryption:

Encryption in Transit

SSL/TLS
HTTPS

2. Encryption at Rest (Server-Side Encryption)

SSE-S3: S3 managed keys using AES-256 bit encryption
SSE-KMS (Key Management Service managed keys)
SSE-C: Customer provided keys

3. Encryption at Rest: Client Side encryption

Encrypt before uploading it.

Done by `x-amz-server-side-encryption` header in PUT request

Prefixes = simply folders inside the bucket

uniqueBucket/2023/January/1, etc
speed: 3500 rps WRITE, 5500 for READ
performance is better if more prefixes, uniqueBucket/2023/January/1 is better than uniqueBucket/2023 and all months info is in 2023

3. EC2

Pricing models:

Spot fleet — collection of spot (and sometimes on-demand) instances. Selects the Spot capacity pools that meet your needs

Multiple pools can be defined, according to instance types, OS, AZ, to let the fleet choose the most optimal way for defined strategy:

price-capacity-optimized

recommended
the fleet identifies the highest capacity availability and then requests the lowest priced of these pools

2. capacity-optimized

the fleet identifies the highest capacity availability, optimizes for capacity first

3. diversified

distributed across all Spot capacity pools

4. lowest-price

default one
instances come from the lowest-priced pool

5. InstancePoolsToUseCount

valid if the strategy set to the `lowest-price`
the fleet attempts to draw instances from the number of pools that you specify.

Security Groups (SG):

All inbound traffic in security groups is blocked by default, use 0.0.0.0/0 to allow it.
All outbound is allowed by default (think of it like AWS is secure to take something in, but allowed to use everything from out).
Rule changes are applied immediately, like IAM roles.
No blacklisting with SG.

Roles can be attached/detached to running EC2, no need to stop it.

Virtual Networking Cards:

can be attached to EC2 instance

Always choose Elastic Network Adapter over Virtual Function.

Placement Groups:

Logical grouping of instances in selected AWS Regions.

merging placement groups is not possible
use homogenous instances within a cluster placement groups
to move an existing instance into a placement group, stop it first.

4. EBS

Block-level storage volumes for use with EC2 instances [2].

let the information from the picture stay in your mind like EBS is attached to EC2 in the same AZ.

at least one volume per EC2 instance is present — root device volume.
automatically replicated within a single AZ.
not encrypted by default
cannot be encrypted on the fly, instead, do it with Snaphots

Capacity and volume type can be dynamically increased

without detaching them
with no performance impact.

EBS Snapshots:

EBS is a virtual disc, a snapshot is a photo of a disc.

it gets that state of Volume
incremental (only what is added)
snapshot encryption = volume encryption
you can add encryption later for even an unencrypted snapshot
encrypted snapshots are encrypted automatically. I suggest you try it out yourself to understand the steps needed for encryption, here is an amazing article for it.
to snap the root, stop the instance
Amazon Data Lifecycle Manager can be used in automating snapshots.

AMI, Amazon Machine Images

Virtual machines image of EC2.

Types:

EBS, created from an Amazon EBS snapshot, can be stopped. No data loss on instance stop.
Instance Store = Ephemeral, created from a template stored in S3, cannot be stopped. Data is lost if underlying host fails.

For both of them:

data is not lost when rebooting
ROOT volumes are deleted on termination (by default, can be adjusted).

EBS hibernation (suspend-to-disk)

saves the RAM’s content to EBS root, and freezes all running processes prior to it.
more costly and faster
no need to reload the OS
instance RAM > 150 Gb (must be less)
max 60 days
for on-demand and reserved instances

EFS:

EFS works with EC2 instances in multi-AZ.

Let the information from the graph stay in your mind as FS works with EC2 instances in multi-AZ.

EFS loves multi-AZ.
Linux only!
supports NFS v4
pay for the storage you use only
scales automatically
scale to Petabytes!
data stored across multiple AZ
↑ $ but ↑ Available and Scalable
distributed, ↑ resilient
READ and WRITE consistency
encryption at rest (KMS)

FSx for Windows:

Windows-based
Sharepoint
MS SQL
SMB

FSx for Lustre:

↑ speed and capacity
HPC
financial modeling, ↑ performance computing, ML
can store on S3

AWS Backup:

$ effective
backup for EC2, EBS, EFS, FSx for Windows, and Lustre.

To back up AWS services across multiple AWS accounts → AWS Backup + AWS Organizations.

This is it for part I. Stay tuned for the remaining parts. Hope you enjoyed reading it! 🤞

Open to your comments and suggestions in comments 📝.
And feel free to contact me on LinkedIn as well.

Let me know if you want me to add new details, or to expand existing ones.

Check out our Insider Engineering Blog for more solutions needed in real-life:

Abbreviations, symbols, and appendix:

AZ — Availability Zone

HPC — High-Performance Computing

↑ — high

↓$ — low cost

↑ $ — high cost

↑ $$$ — the most expensive

↓$$$ — the lowest cost

References:

[1] “Don’t FAIL AWS Certified Solutions Architect Associate (SAA-C03)!!!,” Certwizard, Nov. 01, 2022. https://certwizard.com/blog/dont-fail-aws-solutions-architect-test#:~:text=The%20AWS%20Certified%20Solutions%20Architect

[2] “Amazon Elastic Block Store (Amazon EBS) — Amazon Elastic Compute Cloud,” docs.aws.amazon.com. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html