๐ฐ Cost & Usage Report โ The Billing Data Firehose
Think of it as a massive CSV delivered to an S3 bucket with every single charge broken down by hour, resource, tag, and account. The most granular billing data AWS produces โ built for analysts and BI tools.
Billing tools ranked by detail level:
Pricing Calculator โ estimate before you build (no real data)
Budgets โ set thresholds, get alerts
Cost Explorer โ charts/graphs of actual spend, up to 13 months back
Cost & Usage Report โ raw data firehose, most detailed of all โฌ
this one
| AWS Budgets | Threshold alerts and forecasting notifications |
Exam trap:
- Cost Explorer = visual dashboards/charts
- Cost & Usage Report = raw granular billing exports
- AWS Budgets = alerts when spending thresholds are exceeded
| ๐ Exam trigger words |
|---|
| "detailed cost breakdown per resource" ยท "feed billing data into a BI tool" โ Cost & Usage Report |
Reserved Instance Usage Reporting
AWS Billing Console
โโโ Cost Explorer
โโโ Reserved Instance reports
The 6 Pillars
for Architects and engineers
| Scenario signal | Pillar | One-liner |
|---|---|---|
| Single point of failure, outage, recovery | Reliability | Stay up, recover fast |
| Paying for unused resources, bill too high | Cost Optimization | Don't waste money |
| Manual processes, inconsistent deployments | Operational Excellence | Run it well and keep improving |
| Credentials exposed, no encryption | Security | Protect everything, always |
| Slow for distant users, wrong instance type | Performance Efficiency | Use the right resource for the job |
| Demand changes, evolving technologies, right-sizing compute | Performance Efficiency | Adapt resources efficiently as workloads evolve |
| Carbon footprint, energy, managed services | Sustainability | Minimize environmental impact |
Cloud Benefits โ Common Exam Traps
| Benefit | What it means |
|---|---|
| Agility | Quickly provision environments and experiment faster |
| Elasticity | Scale resources up/down with demand |
| Deploy globally in minutes | Launch workloads across AWS regions rapidly |
| Cost savings | Replace CapEx with variable cloud spending |
Trigger: "spin up testing environments quickly" โ Agility
AWS Service Scope: Global vs Regional vs Zonal
| Scope | Examples |
|---|---|
| Global | IAM, Route 53, CloudFront, WAF, STS |
| Regional | S3, RDS, EFS, Lambda, SQS, SNS, AWS Batch |
| Zonal | EC2 instances, EBS volumes |
The trick: EC2 feels regional but it's zonal โ it lives in one AZ. EBS snapshots however are regional.
CloudFront Edge Locations are global edge caching locations, NOT regions or AZs.
EBS volumes are zonal.
EBS snapshots are regional.
Hybrid / Edge Infrastructure Services
| Service | Main Use |
|---|---|
| AWS Outposts | AWS-managed infrastructure on-premises |
| AWS Local Zones | Low-latency AWS extensions near major metro areas |
| AWS Wavelength | AWS compute inside telecom 5G networks |
Exam triggers:
- "same AWS APIs on-prem" โ Outposts
- "low-latency compute near city users" โ Local Zones
- "ultra-low-latency mobile / 5G apps" โ Wavelength
| โ ๏ธ Common scope traps |
|---|
| IAM and Route 53 are GLOBAL. EC2 and EBS volumes are ZONAL. S3 is REGIONAL even though buckets appear globally accessible. |
| AWS CDK is NOT an AWS service scope question โ it's a development framework. |
All 6 CAF Perspectives โ Complete Master Table
for Business leaders AND technical teams
| Perspective | Owned by | Focuses on | Key capabilities |
|---|---|---|---|
| Business | CEO, CFO, COO | Cloud investment drives business outcomes | Strategy, portfolio, innovation |
| People | CHRO, HR leaders | Culture, skills, organizational change | Training, workforce, change management |
| Governance | CRO, Compliance | Risk, compliance, investment decisions | Portfolio management, data governance, risk |
| Platform | CTO, Architects | Architecture, infrastructure, tech standards | IaC, networking, data architecture |
| Security | CISO, Security engineers | Protect everything, detect threats | IAM, data protection, infrastructure protection |
| Operations | IT Operations, Support | Run and support cloud day to day | Incident mgmt, performance, patch management |
Exam trick: CAF is NOT just technical โ Business and People perspectives are tested heavily
Application Portfolio Management = Governance โ students always put this in Operations
CAF Security Perspective Capabilities
| Capability | Does what |
|---|---|
| Infrastructure Protection | Protects against external threats and unauthorized access |
| Identity and Access Management | Controls who accesses what |
| Data Protection | Encryption, data security at rest and in transit |
| Threat Detection | Identifies existing threats |
| Incident Response | Responds when breaches occur |
| Application Security | Secures applications specifically |
CAF Operations Perspective Capabilities
- Observability
- Event management (AIOps)
- Incident and problem management
- Change and release management
- Performance and capacity management
- Configuration management
- Patch management
- Availability and continuity management
- Application management
Trigger: "meet SLAs" + "agreed-upon service levels" โ Performance and Capacity Management
Remember: Application Portfolio Management = Governance perspective, NOT Operations
Shared Responsibility Model
| Category | Examples |
|---|---|
| AWS owns | Physical infrastructure, host OS patching, networking hardware |
| Shared | Configuration management, patch management (guest OS = you), awareness & training |
| Customer owns | Guest OS, applications, data encryption, network traffic protection, Zone Security |
The one-word trick: "host OS" = AWS. "Guest OS" = customer.
| โ ๏ธ Common exam trap |
|---|
| AWS secures the cloud infrastructure. Customers secure what they put in the cloud. |
IAM Identities
| IAM Concept | CLI/Access Keys? | Notes |
|---|---|---|
| IAM User | โ Long-term credentials | Common but not best practice |
| IAM Role | โ Temporary credentials | Best practice |
| IAM Group | โ | Collection of users only |
| IAM Policy | โ | Not an identity โ it's a permission document |
Account alias = a friendly replacement for the AWS account ID in the login URL.
Pricing Calculator vs Cost Explorer vs Cost & Usage Report
| Tool | Use When |
|---|---|
| Pricing Calculator | Planning/estimating before you build |
| Cost Explorer | Analyzing actual spend after you've been running |
| Cost & Usage Report (CUR) | Need the raw billing data itself for BI tools, analytics, or highly detailed cost analysis |
The progression: Calculator โ estimate before build. Explorer โ visualize spend. CUR โ raw billing firehose.
Trusted Advisor โ 5 Categories (memorize exactly)
- Cost Optimization
- Security
- Fault Tolerance
- Performance
- Service Limits
Trap answers: "Instance Usage", "Infrastructure", "Storage Capacity" โ none of these are real categories.
Another trap: Full Trusted Advisor checks require Business+ or Enterprise support.
AWS Support Plans โ Complete Feature Matrix
| Feature | Basic | Business+ | Enterprise |
|---|---|---|---|
| Cost | Free | Paid | More expensive |
| Trusted Advisor checks | Core only | Full | Full |
| Support API | โ | โ | โ |
| Technical Account Manager (TAM) | โ | โ | โ |
| Well-Architected Reviews | โ | โ | โ |
| Operations Reviews | โ | โ | โ |
| Infrastructure Event Management | โ | โ extra fee | โ included |
| Concierge billing support | โ | โ | โ |
| Response time (critical) | None | 1 hour | 15 minutes* |
| For workloads | Dev/test | Production | Mission-critical |
Enterprise-specific response times
Production system down = 1 hour
Business-critical system down = 15 minutes (Enterprise)
The rule: Business+ gets IEM for extra fee but NOT Well-Architected or Operations Reviews โ those need Enterprise
Critical: If a question mentions Well-Architected Reviews OR Operations Reviews โ Enterprise only
What Is Free vs What Costs Money
| FREE | COSTS MONEY |
|---|---|
| VPCs | EC2 instances (per hour) |
| Subnets and route tables | RDS instances (per hour) |
| IAM users, groups, roles, policies | NAT Gateway (hourly + per GB processed) |
| CloudFormation | Elastic IPs โ even attached to running instances |
| AWS Organizations | Data transfer OUT to internet |
| Security Groups and NACLs | Data transfer BETWEEN regions |
| AWS Console access | Data transfer BETWEEN AZs (small fee) |
| Inbound data transfer to AWS | EBS volumes (per GB per month) |
| S3 storage requests (mostly) | Load balancers (per hour + LCUs) |
| DNS resolution within VPC | Direct Connect (port hours + data transfer) |
| CloudWatch basic monitoring | CloudWatch detailed monitoring and custom metrics |
Biggest surprises:
- Elastic IPs may incur charges โ AWS discourages unused/public IPv4 hoarding โ AWS charges to discourage IPv4 hoarding
- Data transfer INTO AWS is free โ you're never charged for uploads
- Data transfer BETWEEN AZs in same region costs a small amount โ use this to justify multi-AZ design decisions
- VPCs themselves are free โ you pay for what's inside them
- CloudFormation is free โ you pay for resources it creates
- Security Groups and NACLs are free โ traffic and the resources behind them are what cost money
๐ง Route 53 vs Route Tables
| Service | Main job |
|---|---|
| Route 53 | DNS routing and failover |
| VPC Route Tables | Internal packet routing inside a VPC |
| ๐ก Mental model |
|---|
| Route 53 decides where users go. Route Tables decide where packets go. |
AWS SDKs
Used for authenticated programmatic access to AWS from application code.
SDK responsibilities:
- Request signing
- Credential resolution
- IAM role integration
- Automatic credential refresh
Trap: CloudFormation provisions infrastructure. SDKs are for runtime API access.
Lightsail vs Elastic Beanstalk
| Service | Best for |
|---|---|
| Lightsail | Simple VPS/WordPress hosting |
| Elastic Beanstalk | Managed application deployment |
Trigger: "easiest way to deploy WordPress with minimal AWS knowledge" โ Lightsail
Top comments (0)