These notes were written while working through the A Cloud Guru AWS Certified Solutions Architect - Associate online course. These notes are partly from the videos, and also from various other online sources. Primarily, they’re notes for me, but you might find them useful too.

Since the AWS platform is changing so quickly, it’s possible that some of these notes may be out of date, so please take that into consideration if you are reading them.

Please let me know in the comments below if you have any corrections or updates which you’d like me to add.

This post was last updated in March, 2019.

General terms

Exam Blueprint

ARN (Amazon Resource Name) A standardized way to refer to an AWS resource. For example: arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob.

Availability Zones and Regions

Regions are specific geographical areas where your AWS services can be hosted i.e. North Virginia, Sydney, Singapore.

Availability Zones are data centers spread throughout a region, connected via low-latency links. If you distribute your instances across multiple Availability Zones and one instance fails, you can design your application so that an instance in another Availability Zone can handle requests.

The exact number of Availability Zones and Regions are changing all the time. The number that exist at any point in time is not covered in the exam.


EBS (Elastic Block Storage) - For block storage, equivalent to a hard disk. Can be used to install opertaing systems, and can be attached to only a single EC2 instance. Must be provisioned.

EFS (Elastic File Service) - For file based storage, and unlike EBS, it can be shared across multiple EC2 instances. Good for file shares, but not suitable for instaling an operating system. You can think of it like a NAS (Network Attached Storage) service. Roughly 10x as expensive as EBS. Unlike EBS, there is no provisioning needed - you pay for only the storage you use.

S3 (Simple Storage Service - 3 S’s) - Used for object storage, and is best for static objects, binary blobs, document storage, etc.

Glacier - used for extremely low cost storage of infrequently accessed data, where the access time could be a few hours. For example, data which you are legally required to retain for a certain period of time.

Storage Gateway

Workspaces - A VDI (Virtual Desktop Infrastructure), hosted on AWS, to replace local desktop environments. You can think of this as a kind of Citrix.


RDS (Relational Database Service) - supports Postgres, MySql, and Aurora (AWS fork of MySql) databases, among others.

Dynamo DB - A NoSQL database. This is covered heavily in the exam.

Redshift - Data Warehousing, and BI (Business Intelligence).

Elasticache - A caching service which you can use to take load off the DB. This is covered mostly in the AWS Developer exam, but not so much in the Solutions Architect Associate exam.


Snowball - A briefcase sized appliance which can contain Terabytes of data. Not covered by the developer exam, but comes up in the solutions architect exam

DMS (Database Migration Service) - For migrating on-premise databases into AWS, including migration of Oracle databases to Aurora. DMS uses replication, so there doesn’t need to be any downtime. It wasn’t in 2016 exam, but might be in 2017 exam.

SMS (Server Migration Service) - Not to be confused with SNS (Simple Notification Service), which can be used SMS messages to mobile phones. Amazon SMS is for migrating servers into AWS.


Athena - Supports running SQL queries over S3, turning flat files into queryable data.

EMR (Elastic Map Reduce) - Uses Hadoop. Good for processing large data sets.

CloudSearch - Managed cloud based search for your website. Need to upload data which you want to be searchable, CloudSearch then provisions the resources you need - i.e. Multi-AZ, auto-scaling of traffic, etc.

Elasticsearch - configurable by the user, unlike CloudSearch. Interestingly, Ryan from said he prefers Angolia for this.

Elasticsearch vs CloudSearch

Kenesis - Streaming and analysing real time data at massive scale.

Data Pipeline - For data workflow orchestration. i.e. process and transfer data between AWS services such as S3, Dynamo DB, EMR, RDS. Well suited for complex data processing workflows.

Security and Identity

IAM (Identity and Access Management) - Covered heavily in both the Developer and Solution Architect exams.

Inspector - Agent installable on VMs to do security audits.

Certificate Manager - Managers SSL/TLS certificate renewal process, so you don’t get caught out.

Directory Services - Active Directory in AWS. Covered in the exam.

WAF (Web Application Firewall) - Protect your web app from things such as SQL injection, Cross-Site scripting (XSS) attacks, etc.

Artifact - Compliance Reports and Certifications. Not in Associate exam, but may be in Professional exam.

Management Tools

CloudWatch - For monitoring EC2 performance.

CloudTrail - For auditing changes of your AWS account. i.e. auditing changes to IAM roles, etc.

It’s easy to get CloudWatch and CloudTrail mixed up, and pick the wrong one in the exam. I like to think of CloudTrail as Cloud Audit Trail.

Opsworks - Deployment using Chef

Config - Set alerts, auditing environment.

Service Catalog - Authorise which services are available to be used by an orgaisation.

Trusted Advisor - Automated scanning of environment. A tool for a previously manual process involving having to hire an AWS consultant. Scans your AWS environment, and gives advice on performance and optimisation of AWS services.

  • Can also check all utilisation EC2 resources.

Application Services

Step Functions - Visualise what’s going on in which apps, and which which microservices it’s using.

SWF (Simple Workflow Services)

API Gateway

Appstream - For streaming desktop apps, hosted on AWS to a user.

Elastic Transcoder - For converting media files between formats. i.e. video compression.


AWS supports different types of import/export

VM Import/Export - Allows you to import VM images from your existing environment to EC2 instances, and to export them back to your on-premises environment.

AI (Artificial Intelligence)





SNS (Simple Notification Service) - For sending messages, including SMS messages to mobile phones. Can be used for notification of AWS environment events.

SQS (Simple Queueing Service)

SES (Simple Email Service)


Direct Connect - For a dedicated connection between your premises and AWS

Support plans

AWS has the following support plans:

  1. Basic
  2. Developer - Business hours access to Cloud Support Associates via email
  3. Business - 24x7 access to Cloud Support Engineers via email, chat & phone
  4. Enterprise - 24x7 access to Sr. Cloud Support Engineers via email, chat & phone

Billing and Cost Management

  • Cost Explorer - graph, visualize, and analyze your spend. Filter what you see by specifying date ranges, services, tags, or a combination.
  • Budgets - create custom budgets that will automatically alert you when your AWS costs or usage exceed, or are forecasted to exceed, the thresholds you set.
  • Reports - detailed data, enabling you to better analyze and understand your AWS costs as well as the specific product offerings and usage amounts underlying those costs.
  • Cost Allocation Tags - activating tags for cost allocation tells AWS that the associated cost data for these tags should be made available throughout the billing pipeline. Once activated, cost allocation tags can be used as a dimension of grouping and filtering in Cost Explorer, as well as for refining AWS budget criteria.


Tags can be used to help manage your instances, images, and other Amazon resources

Elastic IP addresses can’t be tagged.

KMS (Key Management Service) and CloudHSM (Hardware Security Module)

CloudHSM provides additional protection over KMS, and is best for cases where this is strict contractural or regulatory requirements.

Consider using CloudHSM if you require:

  • Keys stored in dedicated, third-party validated hardware security modules under your exclusive control.
  • FIPS 140-2 compliance.
  • Integration with applications using PKCS#11, Java JCE, or Microsoft CNG interfaces.
  • High-performance in-VPC cryptographic acceleration (bulk crypto).

More info on tagging EC2 resources

Most common AWS limits

20 instances per account

5 EIPs (Elastic IPs) per region - Public IP addresses are a scarce resource, and the intent is that you would use them to remap an address to another instance in case of failure, using DNS hostnames for all other inter-node communication.

100 security groups by VPC

20 ELBs (Elastic Load Balancers)

20 ASGs (Auto Scaling Groups)

5000 EBS volumes, 10000 snapshots, 40K IOPS, 20TB storage

More info on AWS service limits

Want to read more?

Check out the AWS Certified Solutions Architect Associate All-in-One Exam Guide on The book getting great reviews, was updated to cover the new 2018 exam SAA-C01, and is available on Kindle and as a paperback book.

See my full exam tips here: AWS Solutions Architect Associate Exam Tips

And click here to see all of my notes: AWS Solutions Architect Associate Exam Notes