DEV Community: Cliff Claven

DRAFT: the other exam and joys

Cliff Claven — Tue, 19 May 2026 02:12:28 +0000

AWS DVA-C02 Cheat Tables

1. CI/CD Tools

The pipeline mental model: CodeCommit/GitHub → CodeBuild → CodeArtifact (stores packages) → CodeDeploy → CodePipeline ties it all together

Service	What it does	Key details to know	Exam gotcha
CodeCommit	Private Git repos hosted in AWS. Like GitHub but inside your AWS account.	Uses IAM for auth (not username/password). Supports SSH and HTTPS. Triggers events to EventBridge, SNS, Lambda on push.	⚠️ AWS deprecated this in 2024 — may still appear on exam but flagged as legacy
CodeBuild	Compiles code, runs tests, produces deployable artifacts. Fully managed build server — no Jenkins to maintain.	`buildspec.yml` file in your repo defines the build steps (install, pre-build, build, post-build phases). Outputs to S3. Billed per build minute. Runs in Docker containers.	🚨 `buildspec.yml` must be at root of repo or explicitly specified — exam loves this
CodeDeploy	Automates deploying code to EC2, Lambda, ECS, or even on-premises servers.	`appspec.yml` defines deployment hooks (BeforeInstall, AfterInstall, ApplicationStart etc). Supports blue/green, canary, and rolling deployments. For EC2 — needs the CodeDeploy agent installed on the instance.	🚨 `appspec.yml` ≠ `buildspec.yml` — CodeBuild uses buildspec, CodeDeploy uses appspec. Exam will mix these up to trick you.
CodePipeline	The orchestrator. Connects source → build → test → deploy into one automated workflow.	Stages contain actions. Can add manual approval gates between stages. Integrates with GitHub, CodeCommit, CodeBuild, CodeDeploy, CloudFormation, Elastic Beanstalk, ECS. Triggered by code push or on a schedule.	ℹ️ CodePipeline doesn't build or deploy itself — it just orchestrates other services that do
CodeArtifact	Private artifact/package repository. Stores npm, pip, Maven, NuGet packages inside your AWS account.	Acts as a proxy to public repos (npm, PyPI) AND caches them. So your builds never depend directly on the public internet. Access controlled via IAM and resource policies.	ℹ️ Think "private npm/pip registry inside AWS" — question about securing dependencies → CodeArtifact

2. Event-Driven Architecture — Choreography vs Orchestration

	Choreography	Orchestration
Mental model	Jazz band — everyone improvises together	Symphony conductor — one person directs everyone
Central brain?	No. Services react to events independently	Yes. One coordinator controls the flow
AWS services	EventBridge, SNS, SQS	Step Functions, Lambda
Coupling	Loosely coupled	More tightly coupled around the orchestrator
Visibility	Harder to trace the full flow	Easy — the workflow definition IS the flow
Pick when...	Fan-out to multiple consumers, services owned by different teams, "publish and forget", high scalability needed	Complex multi-step workflows, state must be tracked, error handling and retries matter, steps depend on previous results

Exam tip: Question about "complex order processing with error handling and compensation steps" → Step Functions. Question about "notify multiple downstream services when something happens" → EventBridge or SNS.

3. Cognito — User Pools vs Identity Pools

	User Pools	Identity Pools
What it is	A user directory. Handles sign-up, sign-in, passwords, MFA.	A credential vending machine. Exchanges tokens for temporary AWS credentials.
What it gives you	A JWT token (ID token, access token, refresh token)	Temporary IAM credentials (access key, secret key, session token) via STS
Who are the users	Humans logging into your app	Anyone who needs to call AWS services directly
Supports federation?	Yes — Google, Facebook, SAML, OIDC IdPs can log in through User Pools	Yes — can accept User Pool tokens, social logins, SAML, even unauthenticated guests
What you do with the output	Use the JWT to authenticate API calls to your app backend	Use the IAM credentials to call AWS services directly (S3, DynamoDB, etc.)
AWS service it calls	Nothing — it IS the auth service	Calls STS AssumeRoleWithWebIdentity under the hood
Analogy	The bouncer checking IDs at the door	The coat check that gives you a ticket to pick up AWS resources

One-line memory hooks:

User Pool = WHO are you? (authentication, identity, JWT)
Identity Pool = WHAT can you access? (authorization, AWS credentials, IAM)
User Pool → your app. Identity Pool → AWS services.
InitiateAuth = native User Pool users only. Federation always goes through the hosted UI.

4. Cognito — Tricky Scenario Table

Scenario	Answer
User logs in with Google and gets a JWT to call YOUR app's API	User Pool (with Google as federated IdP)
User logs in and then needs to read their own S3 files directly from the browser	Identity Pool (exchanges token for IAM creds to call S3)
You need MFA, password reset, email verification	User Pool — Identity Pools don't do any of that
Unauthenticated guest users need limited AWS access	Identity Pool — supports unauthenticated identities
SAML corporate SSO → app login	User Pool with SAML IdP configured
Mobile app needs to write to DynamoDB directly	Identity Pool — gets IAM creds, calls DynamoDB
Federated sign-in is failing, IdP is configured correctly	User must use `/oauth2/authorize` hosted UI endpoint, NOT `InitiateAuth`
Need to chain both together	User Pool authenticates → passes JWT to Identity Pool → gets IAM creds

Elastic Beanstalk — The 6 Things DVA Tests

Topic	What to know
Deployment policies	All at once — fastest, has downtime. Rolling — no downtime, reduced capacity during deploy. Rolling with additional batch — no downtime, no reduced capacity (spins up extra instances first). Immutable — safest, creates entirely new instances then swaps. Blue/Green — swap environment URLs via Route 53/CNAME swap.
Procfile	Defines multiple long-running processes (web server + background workers). Beanstalk starts and monitors all of them.
Buildfile	Commands that run ONCE during deployment. Not for long-running processes — for build steps.
`.ebextensions/`	Folder of YAML config files that customize the environment — install packages, set env vars, run scripts on instance startup.
`env.yaml`	Define environment configuration (environment name, solution stack, option settings).
Saved configurations	Snapshot of an environment's full config. Reuse it to spin up identical environments or restore a previous state.

Exam tip: "No downtime + no reduced capacity" → Rolling with additional batch. "Safest / can roll back instantly" → Immutable. "Separate live environment, swap DNS" → Blue/Green.

IAM — Trust Policies vs Permission Policies

This is one of the most misunderstood IAM concepts and the exam exploits it constantly.

Two completely separate questions

Question	Answered by	Where it lives
Can this principal DO this action?	Permissions policy	Attached to the user/role doing the action
Can this principal ASSUME this role?	Trust policy	Attached to the TARGET role being assumed

AssumeRole requires BOTH to be true

When Lambda tries to assume a role, TWO things must both be true:

The Lambda execution role must have sts:AssumeRole permission in its permissions policy ✓
The target role must list the Lambda execution role as a trusted principal in its trust policy ✓

If either one is missing → AccessDenied. The exam gives you a scenario where #1 is satisfied but #2 is missing. Most people only think about the caller's permissions and miss the trust policy entirely.

What a trust policy looks like

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/MyLambdaExecutionRole"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

This lives on the TARGET role. It says "I trust MyLambdaExecutionRole to assume me." Without this, AssumeRole is denied no matter what.

Memory hook

Permissions policy = what I can do

Trust policy = who can wear my hat

AssumeRole denied despite having sts:AssumeRole? → Check the target role's trust policy

IAM — Allow/Deny Evaluation Order

Priority	Rule
1 — Explicit Deny	Always wins. One Deny anywhere overrides every Allow everywhere. No exceptions.
2 — SCPs	Org-level guardrails. If the SCP doesn't allow it, nothing below matters.
3 — Resource-based policies	Evaluated alongside identity policies for cross-account access.
4 — Identity-based policies	What's attached to the user/role making the request.
5 — Default Deny	If nothing explicitly Allows it, it's denied.

The tricky distinctions

Concept	What it means
Explicit Deny	A policy literally says `"Effect": "Deny"`. Overrides any Allow anywhere.
Default Deny (implicit)	No policy says anything about this action. Denied by default. Does NOT override an Allow.
`NotAction` + `Deny`	Denies everything EXCEPT the listed actions. Exam loves this one.

Key exam trap: "The user has an Allow in their group policy but still gets denied" → there is an explicit Deny somewhere else. Find it. One explicit Deny beats unlimited Allows.

AWS Cloud Practitioner Exam - The Difficult Parts - Part 3: Storage and (some) Compute

Cliff Claven — Sun, 17 May 2026 18:33:36 +0000

💾 EBS vs EFS vs S3 — How Does Your App See the Storage?

EBS — Elastic Block Store

Acts like a hard drive plugged into your EC2 instance. One instance, one AZ. Your OS formats and mounts it. Data persists after stop.

🧠 Think: "My server's hard drive"

EFS — Elastic File System

Acts like a shared network drive. Multiple EC2 instances across multiple AZs can mount it simultaneously. Auto-scales, no capacity to manage.

🧠 Think: "Shared folder that all my servers can access"

Unlike Storage Gateway File Gateway, EFS is a true managed cloud file system — not a hybrid bridge into S3.

S3 — Simple Storage Service

Not a file system — an object store. You don't mount it, you call an API (PUT, GET). Flat blobs with URL keys. Massive scale, globally accessible, cheap.

🧠 Think: "A giant bucket of files accessible over the internet"

📋 Quick pick
Temp files on one server → EBS · Shared config files across servers → EFS · User photos accessible anywhere → S3

General Purpose SSD (gp3)

AWS-recommended EBS volume type for most workloads.

SSD-backed
balanced price/performance
supports boot volumes

📋 Exam trigger words
"recommended EBS volume for most workloads" · "boot volume" → gp3

⚡ Instance Store — The One Everyone Forgets (And It's the Fastest)

Every EC2 host machine has real physical disks attached to it. Instance Store lets your instance use those disks directly — no network hop, just raw disk. EBS feels local but still goes over the network. That's why Instance Store wins on speed.

The catch: data only exists while the instance runs. Stop it, terminate it, or if the hardware fails — gone. Not a debate, just gone.

It's included in the EC2 instance price — no extra charge.

Instance Store = ephemeral BLOCK storage physically attached to the host server.

📋 Exam trigger words
"fault-tolerant" · "can handle failures" · "distributed architecture" · "highest I/O performance" · "lowest latency storage" → Instance Store

⚠️ Common exam trap
Instance Store offers the highest performance and lowest latency, but NOT durability. If the instance stops or fails, the data is lost permanently.

AMI vs Snapshot

Resource	Purpose
AMI	Launch template for EC2 instances
EBS Snapshot	Backup of EBS volume data

Golden AMI = standardized EC2 image with:

OS
patches
monitoring agents
application configuration

Exam trigger: "exact copy of EC2 instance in another region" → AMI copy

RDS Read Replicas vs Multi-AZ

Feature	Purpose
Read Replicas	Scale read-heavy workloads
Multi-AZ	High availability and failover

⚠️ Common exam trap
Read Replicas improve read throughput. Multi-AZ improves availability, NOT read scaling.

Data Protection, Migration & Storage Services

Service	Does what	Analogy	Trigger words
AWS Backup	Centralized automated backups across ALL AWS services and on-premises	The automated backup janitor who never forgets	"centralize backups" "automate backup policy" "across services"
Elastic Disaster Recovery	Continuously replicates live servers for rapid failover	The understudy ready to go on stage instantly	"disaster recovery" "minimal data loss" "failover" "RPO/RTO"
DataSync	Transfers and migrates data between storage systems	The moving truck for your data	"migrate data" "transfer to AWS" "sync on-premises to S3"
Storage Gateway	Lets on-premises systems use AWS storage as if it were local	The magic portal that makes cloud look local	"hybrid storage" "on-premises access to cloud" "replace tape backups"
Snowball Edge	Physical device for massive data transfer when network is impractical	The armored truck when the internet highway is too slow	"terabytes to petabytes" "physical transfer" "no internet" "rugged"

Aurora — The "Self-Healing" Database

Aurora automatically:

replicates storage 6 ways across 3 AZs
repairs failed storage blocks automatically
provides high availability relational storage

📋 Exam trigger words
"self-healing relational database" · "high throughput relational database" → Aurora

⚠️ Common exam trap
DynamoDB is highly fault tolerant and auto-scaled, but AWS usually reserves the term "self-healing" for Aurora's distributed relational storage architecture.

Storage Gateway — Three Flavors

Flavor	Presents as	Stores to	Use when
File Gateway	NFS/SMB network file share	S3	Replace on-premises file servers
Volume Gateway	iSCSI block storage that looks like a local disk to servers	S3 + EBS snapshots	Extend or back up on-premises block storage into AWS
Tape Gateway	Virtual tape library that emulates traditional backup tapes	S3 / Glacier	Replace physical tape backup systems without changing backup software

The Storage Gateway mental model:
Your on-premises servers think they're writing to local storage.
They're actually writing to AWS.
The gateway handles the translation invisibly.

⚠️ Common exam trap
EFS is a native cloud file system. File Gateway is a hybrid bridge between on-premises systems and S3.

🧠 The key distinction
File Gateway = shared files/folders (SMB/NFS).
Volume Gateway = raw disks/block storage (iSCSI).
Tape Gateway = virtual tapes for legacy backup software.

Key Distinctions Q&A

Question	Answer
Need to back up AWS resources centrally?	AWS Backup
Need servers to keep running if disaster hits?	Elastic Disaster Recovery
Need to move data to AWS once or regularly?	DataSync
Need on-premises servers to use AWS storage daily?	Storage Gateway
No internet, massive data, physical shipment?	Snowball Edge

The trap: Elastic Disaster Recovery sounds like backup — it's not.
It replicates LIVE systems for failover, not periodic backup copies.

Reserved vs Dedicated — Completely Different Concepts

Reserved = a PRICING decision
You commit to 1 or 3 years → AWS gives you up to 72% discount.
Hardware is still shared with other AWS customers.

Dedicated = a HARDWARE decision
You get physically isolated servers.
Other AWS customers cannot run workloads on your hardware.
Exists for compliance requirements and software licensing.

They are independent — you can mix and match:

Combination	Means
Reserved + Shared hardware	Normal Reserved Instance — discount only
Reserved + Dedicated hardware	Commit AND get physical isolation
On-Demand + Dedicated hardware	Dedicated Instance/Host, no commitment

Dedicated Instance vs Dedicated Host

	Dedicated Instance	Dedicated Host
Hardware dedicated to you	✅	✅
You know WHICH server you're on	❌ AWS picks	✅ You choose
Visibility into sockets/cores	❌	✅
Bring your own license (BYOL)	❌	✅
Cost	Lower	Higher
Use when	Need dedicated hardware for compliance	Need specific server for BYOL licensing

The one sentence: Reserved = discount for commitment.
Dedicated = physical isolation for compliance or licensing.
You can mix and match them.

Exam trigger: "existing server-bound software licenses" + "compliance" → Dedicated Host
Exam trigger: "dedicated hardware" without licensing mention → Dedicated Instance

Trigger: "existing server-bound software licenses" + "compliance" → Dedicated Host

⚠️ Common exam trap
Dedicated Hosts provide isolated AWS hardware in AWS data centers. AWS Outposts extends AWS infrastructure into YOUR on-premises environment.

EC2 Instance Purchasing Decision Tree

Scenario	Choose
Short term, uninterruptible	On-Demand
Long term 1-3 years, predictable	Reserved
Fault-tolerant, can be interrupted	Spot
Dedicated hardware, BYOL licensing	Dedicated Host
Dedicated hardware, compliance only	Dedicated Instance
Long-term compute across EC2 + Lambda + Fargate	Compute Savings Plans

⚠️ Common exam trap
Reserved Instances apply mainly to EC2. Compute Savings Plans also cover Lambda and Fargate with more flexibility.

EC2 Launch Requirements

Required	Optional
Security Group	Elastic IP
VPC and Subnet	Key pair (if no other access method)
EBS Root Volume	Additional EBS volumes
AMI	Instance store volumes

🚧 ELB vs Auto Scaling — The Most Common Scaling Mix-up

Service	Main job
Elastic Load Balancer (ELB)	Distributes incoming traffic across targets
EC2 Auto Scaling	Adds/removes EC2 instances based on demand

💡 Mental model
ELB spreads traffic across servers. Auto Scaling changes how many servers exist.

⚠️ Common troubleshooting clue
If traffic is not reaching instances behind a load balancer, first check the ELB Health Checks. Unhealthy targets receive no traffic.

Lightsail vs Elastic Beanstalk

Service	Best for
Lightsail	Simple VPS/WordPress hosting
Elastic Beanstalk	Managed application deployment

Trigger: "easiest WordPress deployment with minimal AWS knowledge" → Lightsail

AWS SDKs

Used for authenticated programmatic access to AWS from application code.

SDKs handle:

request signing
credential resolution
IAM role integration
automatic credential refresh

⚠️ Common exam trap
SDKs are for runtime application access. CloudFormation provisions infrastructure.

Global Gaming / Low-Latency Architecture

Problem	Best Solution
High latency for players in other continents	Deploy servers closer to users in additional regions

⚠️ Common exam trap
CloudFront helps static content delivery, NOT real-time multiplayer server latency.

AWS Cloud Practitioner Exam - The Difficult Parts - Part 2: Planning and Costs

Cliff Claven — Sun, 17 May 2026 18:23:23 +0000

💰 Cost & Usage Report — The Billing Data Firehose

Think of it as a massive CSV delivered to an S3 bucket with every single charge broken down by hour, resource, tag, and account. The most granular billing data AWS produces — built for analysts and BI tools.

Billing tools ranked by detail level:

Pricing Calculator  →  estimate before you build (no real data)
Budgets             →  set thresholds, get alerts
Cost Explorer       →  charts/graphs of actual spend, up to 13 months back
Cost & Usage Report →  raw data firehose, most detailed of all ⬅ this one

| AWS Budgets | Threshold alerts and forecasting notifications |

Exam trap:

Cost Explorer = visual dashboards/charts
Cost & Usage Report = raw granular billing exports
AWS Budgets = alerts when spending thresholds are exceeded

📋 Exam trigger words
"detailed cost breakdown per resource" · "feed billing data into a BI tool" → Cost & Usage Report

Reserved Instance Usage Reporting

AWS Billing Console
└── Cost Explorer
    └── Reserved Instance reports

The 6 Pillars

for Architects and engineers

Scenario signal	Pillar	One-liner
Single point of failure, outage, recovery	Reliability	Stay up, recover fast
Paying for unused resources, bill too high	Cost Optimization	Don't waste money
Manual processes, inconsistent deployments	Operational Excellence	Run it well and keep improving
Credentials exposed, no encryption	Security	Protect everything, always
Slow for distant users, wrong instance type	Performance Efficiency	Use the right resource for the job
Demand changes, evolving technologies, right-sizing compute	Performance Efficiency	Adapt resources efficiently as workloads evolve
Carbon footprint, energy, managed services	Sustainability	Minimize environmental impact

Cloud Benefits — Common Exam Traps

Benefit	What it means
Agility	Quickly provision environments and experiment faster
Elasticity	Scale resources up/down with demand
Deploy globally in minutes	Launch workloads across AWS regions rapidly
Cost savings	Replace CapEx with variable cloud spending

Trigger: "spin up testing environments quickly" → Agility

AWS Service Scope: Global vs Regional vs Zonal

Scope	Examples
Global	IAM, Route 53, CloudFront, WAF, STS
Regional	S3, RDS, EFS, Lambda, SQS, SNS, AWS Batch
Zonal	EC2 instances, EBS volumes

The trick: EC2 feels regional but it's zonal — it lives in one AZ. EBS snapshots however are regional.

CloudFront Edge Locations are global edge caching locations, NOT regions or AZs.

EBS volumes are zonal.
EBS snapshots are regional.

Hybrid / Edge Infrastructure Services

Service	Main Use
AWS Outposts	AWS-managed infrastructure on-premises
AWS Local Zones	Low-latency AWS extensions near major metro areas
AWS Wavelength	AWS compute inside telecom 5G networks

Exam triggers:

"same AWS APIs on-prem" → Outposts
"low-latency compute near city users" → Local Zones
"ultra-low-latency mobile / 5G apps" → Wavelength

⚠️ Common scope traps
IAM and Route 53 are GLOBAL. EC2 and EBS volumes are ZONAL. S3 is REGIONAL even though buckets appear globally accessible.
AWS CDK is NOT an AWS service scope question — it's a development framework.

All 6 CAF Perspectives — Complete Master Table

for Business leaders AND technical teams

Perspective	Owned by	Focuses on	Key capabilities
Business	CEO, CFO, COO	Cloud investment drives business outcomes	Strategy, portfolio, innovation
People	CHRO, HR leaders	Culture, skills, organizational change	Training, workforce, change management
Governance	CRO, Compliance	Risk, compliance, investment decisions	Portfolio management, data governance, risk
Platform	CTO, Architects	Architecture, infrastructure, tech standards	IaC, networking, data architecture
Security	CISO, Security engineers	Protect everything, detect threats	IAM, data protection, infrastructure protection
Operations	IT Operations, Support	Run and support cloud day to day	Incident mgmt, performance, patch management

Exam trick: CAF is NOT just technical — Business and People perspectives are tested heavily
Application Portfolio Management = Governance ← students always put this in Operations

CAF Security Perspective Capabilities

Capability	Does what
Infrastructure Protection	Protects against external threats and unauthorized access
Identity and Access Management	Controls who accesses what
Data Protection	Encryption, data security at rest and in transit
Threat Detection	Identifies existing threats
Incident Response	Responds when breaches occur
Application Security	Secures applications specifically

CAF Operations Perspective Capabilities

Observability
Event management (AIOps)
Incident and problem management
Change and release management
Performance and capacity management
Configuration management
Patch management
Availability and continuity management
Application management

Trigger: "meet SLAs" + "agreed-upon service levels" → Performance and Capacity Management

Remember: Application Portfolio Management = Governance perspective, NOT Operations

Shared Responsibility Model

Category	Examples
AWS owns	Physical infrastructure, host OS patching, networking hardware
Shared	Configuration management, patch management (guest OS = you), awareness & training
Customer owns	Guest OS, applications, data encryption, network traffic protection, Zone Security

The one-word trick: "host OS" = AWS. "Guest OS" = customer.

⚠️ Common exam trap
AWS secures the cloud infrastructure. Customers secure what they put in the cloud.

IAM Identities

IAM Concept	CLI/Access Keys?	Notes
IAM User	✅ Long-term credentials	Common but not best practice
IAM Role	✅ Temporary credentials	Best practice
IAM Group	❌	Collection of users only
IAM Policy	❌	Not an identity — it's a permission document

Account alias = a friendly replacement for the AWS account ID in the login URL.

Pricing Calculator vs Cost Explorer vs Cost & Usage Report

Tool	Use When
Pricing Calculator	Planning/estimating before you build
Cost Explorer	Analyzing actual spend after you've been running
Cost & Usage Report (CUR)	Need the raw billing data itself for BI tools, analytics, or highly detailed cost analysis

The progression: Calculator → estimate before build. Explorer → visualize spend. CUR → raw billing firehose.

Trusted Advisor — 5 Categories (memorize exactly)

Cost Optimization
Security
Fault Tolerance
Performance
Service Limits

Trap answers: "Instance Usage", "Infrastructure", "Storage Capacity" — none of these are real categories.

Another trap: Full Trusted Advisor checks require Business+ or Enterprise support.

AWS Support Plans — Complete Feature Matrix

Feature	Basic	Business+	Enterprise
Cost	Free	Paid	More expensive
Trusted Advisor checks	Core only	Full	Full
Support API	❌	✅	✅
Technical Account Manager (TAM)	❌	❌	✅
Well-Architected Reviews	❌	❌	✅
Operations Reviews	❌	❌	✅
Infrastructure Event Management	❌	✅ extra fee	✅ included
Concierge billing support	❌	❌	✅
Response time (critical)	None	1 hour	15 minutes*
For workloads	Dev/test	Production	Mission-critical

Enterprise-specific response times

Production system down = 1 hour
Business-critical system down = 15 minutes (Enterprise)

The rule: Business+ gets IEM for extra fee but NOT Well-Architected or Operations Reviews → those need Enterprise

Critical: If a question mentions Well-Architected Reviews OR Operations Reviews → Enterprise only

What Is Free vs What Costs Money

FREE	COSTS MONEY
VPCs	EC2 instances (per hour)
Subnets and route tables	RDS instances (per hour)
IAM users, groups, roles, policies	NAT Gateway (hourly + per GB processed)
CloudFormation	Elastic IPs — even attached to running instances
AWS Organizations	Data transfer OUT to internet
Security Groups and NACLs	Data transfer BETWEEN regions
AWS Console access	Data transfer BETWEEN AZs (small fee)
Inbound data transfer to AWS	EBS volumes (per GB per month)
S3 storage requests (mostly)	Load balancers (per hour + LCUs)
DNS resolution within VPC	Direct Connect (port hours + data transfer)
CloudWatch basic monitoring	CloudWatch detailed monitoring and custom metrics

Biggest surprises:

Elastic IPs may incur charges — AWS discourages unused/public IPv4 hoarding — AWS charges to discourage IPv4 hoarding
Data transfer INTO AWS is free — you're never charged for uploads
Data transfer BETWEEN AZs in same region costs a small amount — use this to justify multi-AZ design decisions
VPCs themselves are free — you pay for what's inside them
CloudFormation is free — you pay for resources it creates
Security Groups and NACLs are free — traffic and the resources behind them are what cost money

🚧 Route 53 vs Route Tables

Service	Main job
Route 53	DNS routing and failover
VPC Route Tables	Internal packet routing inside a VPC

💡 Mental model
Route 53 decides where users go. Route Tables decide where packets go.

AWS SDKs

Used for authenticated programmatic access to AWS from application code.

SDK responsibilities:

Request signing
Credential resolution
IAM role integration
Automatic credential refresh

Trap: CloudFormation provisions infrastructure. SDKs are for runtime API access.

Lightsail vs Elastic Beanstalk

Service	Best for
Lightsail	Simple VPS/WordPress hosting
Elastic Beanstalk	Managed application deployment

Trigger: "easiest way to deploy WordPress with minimal AWS knowledge" → Lightsail

AWS Cloud Practitioner Exam - The Difficult Parts - Part 1 : Security & Networking

Cliff Claven — Fri, 15 May 2026 21:12:52 +0000

Just studying with Claude here and got a little too excited about a cheat sheet . ...

No corporate speak. No filler. Just what these things do and when to reach for them.

🎥 AWS Config — The Security Camera That Never Blinks

Imagine a security camera pointed at your AWS resources, taking a snapshot every time something changes. That's Config.

Your S3 bucket was private Monday, public Tuesday — Config caught both states, logged the diff, and knows exactly who did it. You can add rules like "S3 buckets must never be public." Break the rule, get flagged as non-compliant.

This is called drift detection — your resource wandered away from desired state, and Config is the auditor that noticed.

Config doesn't prevent changes (that's IAM and SCPs). It records and evaluates them.

📋 Exam trigger words
"audit resource changes over time" · "compliance rules" · "who changed this resource" · "configuration history" → Config

⚠️ Common exam trap
Config tracks configuration drift and compliance history. It is NOT a real-time threat detection service.

Config + Patch Manager

Patch Manager performs the patching.
Config tracks patch compliance history and evaluates compliance rules over time.

📋 Exam trigger words
"track patch compliance history" · "compliance status over time" → AWS Config

🛡️ Shield + WAF — Three Guards, Three Completely Different Jobs

Shield Standard

The free bouncer at the door. Stops the most common brute-force network floods (L3/L4). Always on, you do nothing, costs nothing.

Shield Advanced

The paid security team with specialists. Handles sophisticated DDoS including application-layer attacks — think HTTP floods that look like real traffic. You also get:

A dedicated DDoS Response Team you can actually call
Cost protection if an attack causes runaway scaling costs
Real-time attack visibility

Commonly associated protected resources:
EC2, ELB, CloudFront, Route 53, Global Accelerator
API Gateway, Lambda, Elastic Beanstalk? Not covered.

🧠 Mnemonic — Shield Advanced's 5 protected resources
Every Elastic Cloud Runs Globally
EC2 · ELB · CloudFront · Route 53 · Global Accelerator

⚠️ Common exam trap
Shield Advanced protects specific supported AWS services — not every AWS service automatically.

WAF — A Completely Different Animal

WAF doesn't care about flood volume. It reads the content of HTTP/HTTPS requests and blocks based on rules you write:

Specific IPs or IP ranges
SQL injection patterns
Requests from specific countries
AWS Managed Rules (pre-built OWASP Top 10, bot protection, etc.)

Attaches to: CloudFront, ALB, API Gateway, AppSync — not EC2 directly.

WAF only works for HTTP/HTTPS traffic.

🚧 WAF vs NACLs vs Security Groups

All three block traffic — but at completely different layers of the stack.

	WAF	NACLs	Security Groups
Primary job	Filter malicious web requests	Protect subnet boundaries	Protect individual resources
OSI layer	L7 (HTTP/HTTPS)	L3/L4 (IP, port)	L3/L4 (IP, port)
Understands	URLs, headers, cookies, request body	IPs, protocols, ports	IPs, protocols, ports
Attached to	CloudFront, ALB, API Gateway	VPC subnets	ENI-based resources (EC2, RDS, ECS, Lambda-in-VPC, etc.)
Traffic model	Web requests only	Broad subnet filtering	Per-resource firewall
Rules	Allow/block by request content	Allow AND deny	Allow only
Stateful?	—	❌ Stateless	✅ Stateful
Valid source/destination values	IPs, CIDRs	IPs, CIDRs	CIDRs, Security Group IDs, Prefix Lists
Supports deny rules?	✅	✅	❌

⚠️ Common exam trap
Security Groups and NACLs do NOT inspect HTTP request contents. Only WAF operates at Layer 7 and understands web requests.

💡 Mental model
WAF inspects what is inside the HTTP request. NACLs guard the subnet boundary. Security Groups act like stateful firewalls protecting individual AWS resources inside the VPC.

The mental model:

NACLs guard the neighborhood entrance.
Security Groups guard your front door.
WAF reads the letter someone is trying to hand you.

⚠️ Common Security Group exam trap
Inbound rules specify a source. Outbound rules specify a destination. Security Groups do not support hostnames or instance IDs in rules.

Security Services — Complete Picture

Service	One job	Analogy
Shield Standard	Free DDoS protection against common L3/L4 floods	The free bouncer at the door
Shield Advanced	Paid DDoS protection including L7, with response team	The paid security team with specialists
WAF	Reads HTTP content and blocks bad web requests	Reads the letter before letting it through
GuardDuty	ML-powered threat detection — watches logs, finds suspicious behavior	The burglar alarm
Inspector	Scans EC2/containers for known CVE vulnerabilities	The building safety inspector
Detective	Investigates security alerts, finds root cause	The detective called in after the alarm fires
Macie	Finds sensitive data (PII, credentials) hiding in S3	The auditor who finds what shouldn't be there
Security Hub	Aggregates findings from AWS security services into one dashboard	The security operations dashboard

The sequence: GuardDuty finds it → Detective investigates it → Inspector prevents it → Macie finds the data exposure

⚠️ Common security distinction
Config answers "What changed?" GuardDuty answers "Is something malicious happening?"

🧠 GuardDuty vs Inspector — the most common mix-up
GuardDuty watches behavior — someone is doing something suspicious. Reactive/detective.
Inspector scans compute workloads (EC2, containers, Lambda) for known vulnerabilities and exposure risks. Proactive/preventive.
Macie trigger: any question mentioning "PII" or "sensitive data in S3" → it's Macie, every time.

GuardDuty finds it. Detective investigates it. Inspector prevents it.

⚠️ Common exam trap
GuardDuty detects suspicious behavior. Inspector scans for known vulnerabilities and CVEs.

Amazon Detective vs GuardDuty

	GuardDuty	Detective
Job	Detect threats	Investigate threats
When it runs	Continuously	After an alert
Output	Alerts and findings	Root cause analysis
Trigger word	"detect" "monitor" "suspicious activity"	"investigate" "root cause" "analyze findings"

GuardDuty DETECTS it
↓
Detective INVESTIGATES it

↓
Security Hub AGGREGATES it
↓
Inspector PREVENTED it (if you'd listened earlier)
↓
Macie found the exposed data that caused it

Monitoring & Observability Services

CloudTrail vs Config vs CloudWatch vs X-Ray

Service	Answers	Trigger words
CloudTrail	WHO did WHAT and WHEN — AWS API/account activity history	"audit" "API calls" "account activity" "who changed"
Config	WHAT changed — resource configuration history	"compliance" "drift" "configuration history" "resource changed"
CloudWatch	HOW systems are performing — metrics, logs, alarms, dashboards	"metrics" "alarms" "logs" "monitoring" "performance"
X-Ray	WHY is it slow/broken — end-to-end request tracing	"trace" "distributed app" "microservices" "debug" "root cause of latency"

☁️ CloudTrail vs Config — The Most Common Audit Mix-up

Service	Primary job
CloudTrail	Logs API calls and account activity
Config	Tracks resource configuration state over time

💡 Mental model
CloudTrail answers: "Who did something?"
Config answers: "What changed?"

⚠️ Common audit trap
CloudTrail logs API activity ("who did it"). Config tracks resource state/configuration over time ("what changed").

Load Balancer Types

Load Balancer	Layer	Use When
ALB	L7 (HTTP/HTTPS)	Path-based routing, host-based routing, WebSockets, microservices, Lambda targets
NLB	L4 (TCP/UDP/TLS)	Extreme performance, millions of requests/sec
Gateway LB	L3/L4	Virtual appliances (firewalls, inspection tools)

Exam trigger: "path-based routing" + "host-based routing" + "WebSockets" → ALB every time

🚧 ELB vs Auto Scaling — Different Jobs Entirely

Service	Main job
Elastic Load Balancer (ELB)	Distributes traffic across targets
EC2 Auto Scaling	Adds/removes EC2 instances based on demand

⚠️ Common troubleshooting clue
If instances behind an ELB are not receiving traffic, first check the ELB Health Checks. Unhealthy targets receive no traffic.

💡 Mental model
ELB spreads traffic across servers. Auto Scaling changes how many servers exist.

Messaging & Event Services

Service	Job	Trigger Words
EventBridge	Event bus, routes events between AWS services and SaaS apps	"event-driven" "decouple" "react to events in real-time" "serverless event bus"
SQS	Message queue, async decoupling between services	"queue" "decouple microservices" "async"
SNS	Pub/sub, fan-out notifications	"notify" "publish/subscribe" "SMS" "fan-out"
Kinesis	Real-time streaming data processing	"streaming" "real-time analytics" "IoT data" "clickstreams"
Step Functions	Serverless workflow orchestration between AWS services	"workflow" "orchestrate" "state machine" "coordinate multiple services"

Trick: "not Kafka" → EventBridge

All AWS Gateways — Organized by Job

"Connect my VPC to the internet"

Gateway	Does what	Key detail
Internet Gateway	Gives your VPC a door to the public internet	Attach to VPC — resources in public subnets can now send AND receive internet traffic
NAT Gateway	Lets private subnet resources reach internet without being reachable back	Lives in public subnet — private resources call out through it, internet cannot call in

Memory: Internet Gateway = two-way door. NAT Gateway = one-way cat flap.

"Connect my on-premises network to AWS"

Gateway	Does what	Key detail
Virtual Private Gateway	AWS end of a VPN tunnel	Attaches to your VPC — pairs with Customer Gateway on your side
Customer Gateway	AWS's record of YOUR on-premises VPN device	Not really an AWS device — it's AWS representing your router
Direct Connect Gateway	AWS end of a dedicated private physical line	No internet involved — physical cable from your data center to AWS

Memory: VPN = secure tunnel over public internet (fast to set up, cheaper).
Direct Connect = your own private highway to AWS (weeks to set up, expensive, reliable).
They always need TWO endpoints — one on each side.

"Connect multiple VPCs or networks together"

Gateway	Does what	Key detail
Transit Gateway	Central hub connecting many VPCs and on-premises networks	One connection per network instead of mesh of connections between every pair
VPC Peering	Direct connection between exactly two VPCs	Simpler than Transit Gateway but doesn't scale — need separate peering for every pair

Memory: Two VPCs talking = Peering. Many VPCs talking = Transit Gateway.

⚠️ Common exam trap
VPC Peering does not scale well because every VPC pair needs its own connection. Transit Gateway acts as a centralized hub.

"Completely different kind of gateway"

Gateway	Does what	Key detail
API Gateway	Create, publish, secure and manage APIs	Layer 7 — reads HTTP content, handles auth, throttling, versioning
Storage Gateway	Makes AWS storage look like local storage to on-premises systems	Virtual appliance in your data center — your servers think they're writing locally

Memory: API Gateway = manages your APIs. Storage Gateway = makes cloud storage feel local.

⚠️ Common exam trap
API Gateway exposes APIs to clients. AWS SDKs provide authenticated programmatic access TO AWS services from application code.

VPN Connection — How the pieces fit together

Memory trick: If it has "VPN" or "on-premises" in the question → Virtual Private Gateway + Customer Gateway pair

Memory trick: NAT = No Access inbound, Traffic outbound only

Hybrid / Edge Infrastructure Services

Service	Main Use
AWS Outposts	AWS-managed infrastructure on-premises
AWS Local Zones	Low-latency AWS infrastructure near major metro areas
AWS Wavelength	AWS compute inside telecom carrier 5G networks

📋 Exam trigger words
"same AWS APIs on-prem" → Outposts
"low-latency compute near city users" → Local Zones
"ultra-low-latency mobile / 5G apps" → Wavelength

AWS Service Scope: Global vs Regional vs Zonal

Scope	Examples
Global	IAM, Route 53, CloudFront, WAF, STS
Regional	S3, RDS, EFS, Lambda, SQS, SNS, AWS Batch
Zonal	EC2 instances, EBS volumes

The trick: EC2 feels regional but it's zonal — it lives in one AZ. EBS snapshots however are regional.

Route 53 can perform DNS failover routing to healthy endpoints using health checks.

CloudFront Edge Locations are globally distributed caching endpoints — not Regions or AZs.

That's the whole picture. Bookmark it, share it, argue with it in the comments.