High-Level Overview of AWS Services – quizzardexampreparation.com

Identity Services

Root User of an AWS Account

Root User Privileges

The root user of an AWS account (essentially the account owner, not an IAM identity) should not be used for daily tasks, because it cannot be limited by permissions
- Create an administrative IAM user for regular admin activities
- Protect the root user with MFA and securely store its access keys
The root user is still required for certain key actions, and these may appear on exams
Primary privileges of the root user to remember:
- Modify account settings (account name, email, root password, access keys)
- Close or delete the AWS account
- Change or cancel the AWS Support Plan
- Register as a seller in the Reserved Instance Marketplace
  - This allows you to sell unused reserved instance capacity if you purchased a multi-year reservation but don’t need the full term
Additional/root-only tasks (good to know, not mandatory to memorize):
- Some billing-related controls
- Viewing certain tax invoices
- Restoring IAM user permissions
- Enabling MFA on S3 buckets
- Editing or removing S3 bucket policies with invalid VPC IDs or endpoints
- Signing up for AWS GovCloud

AWS IAM (Identity and Access Management) – CLF-C02

IAM Identities

Users (long-term credentials)
- Typically represents an individual who can log in to the AWS account.
Groups (containers for users)
- Simplifies management: assigning a policy to a group automatically applies it to all its members.
- Note: IAM groups cannot log in to the AWS account. Only users and roles can.
Roles (temporary credentials)
- Commonly used by AWS services (e.g., EC2, Lambda) to perform actions on resources on your behalf; the service assumes the role and the credentials automatically expire.
- Roles can also be used to provide federated access for external users (e.g., a user logging in via Facebook can assume a role to access AWS resources).

IAM Policies

Policy: JSON document that specifies permissions (allow or deny access to AWS services and resources).
Identity-based policies: Attached to IAM identities (users, groups, or roles).
Resource-based policies: Directly attached to a resource to control which identities can access it.
- Example: An S3 bucket policy allowing access only from specific IP ranges.

IAM Security Best Practices

Use root user only for initial account setup (e.g., creating admin users) or closing the account. Avoid using it for everyday tasks.
Enforce strong passwords for IAM users.
Enable MFA (Multi-Factor Authentication) for added account security.
Apply the principle of least privilege: give only the permissions necessary to complete tasks.
Protect your credentials: never share IAM users or access keys.

IAM Audit Tools

IAM Credential Report (account-level)
- Lists all users in the account and the status of their credentials.
- Exported as CSV; useful to identify users who haven’t rotated passwords or keys recently.
IAM Access Advisor (user-level)
- Shows which services a user has permissions for and when they last accessed them.
- Useful for reviewing and adjusting user permissions.

Shared Responsibility Model for IAM

AWS responsibilities:
- Maintaining global infrastructure security
- Performing configuration and vulnerability assessments
- Ensuring compliance certifications are met
Customer responsibilities:
- Managing and monitoring IAM users, groups, roles, and policies
- Enforcing MFA for all accounts
- Rotating access keys regularly
- Using IAM tools to assign appropriate permissions
- Reviewing access patterns and adjusting permissions as needed

Other Identity Services

Advanced Identity Services

AWS STS (Security Token Service): provides temporary credentials with limited permissions
- Used whenever an entity assumes an IAM role (sts:assumeRole)
  - Roles can grant access within the same account or across accounts
  - Supports identity federation, allowing external identities (Google, Facebook, etc.) to assume roles and access AWS resources
  - Service roles allow AWS services to act on your behalf (e.g., a Lambda execution role permits a function to write logs to CloudWatch)
Amazon Cognito: user management for web and mobile apps
- IAM accounts have a hard limit of 5000 users, so for apps with millions of users, Cognito is the scalable alternative
- Supports login via federated identities from social providers such as Google and Facebook
AWS Directory Service: connect an existing user directory to AWS
- Integrates with Microsoft Active Directory (AD), commonly used for Windows servers and centralized management of users, computers, printers, and file shares
- Supports other directories, such as SAMBA, or proxies for on-premises directories
IAM Identity Center: single sign-on for multiple AWS accounts and applications
- Formerly known as AWS Single Sign-On (AWS SSO)
- Supports SAML 2.0, EC2 Windows logins, and cloud business apps (e.g., Salesforce, Microsoft 365)
- Can use a built-in identity store or connect to third-party stores like AD, OneLogin, or Okta
- Enables centralized identity management across multiple accounts via AWS Organizations

Compute Services

Amazon EC2 (Elastic Compute Cloud) – CLF-C02

EC2 Instance – Key Concepts

Instance = Virtual Machine (VM) = Virtual Server (VS)
- Runs on a physical EC2 host
- Deployed inside a VPC subnet in a single Availability Zone (AZ)
- Provides full OS-level access
Configurations:
- Operating System: Linux, Windows, MacOS
- Instance type: general purpose, compute-optimized, memory-optimized, storage-optimized, GPU/accelerated
- Size: CPU + RAM
- Storage: local instance storage (temporary) or network-attached EBS (Elastic Block Store)
- User Data: bootstrap script that runs once when the instance launches
- Instance Role: IAM role granting temporary permissions for the instance to access other AWS resources
- ENI (Elastic Network Interface): manages instance network IPs
  - Security enforced via VPC Security Groups (firewall rules)

SSH Protocol

SSH allows secure command-line access to a remote Linux host (Shell CLI)
- Runs on TCP port 22
SSH keys enable login to EC2 instances for management
- Linux and MacOS can connect natively
- Older Windows versions may require PuTTY
Instance Connect: browser-based SSH connection
- No need to download keys
- Works automatically on Amazon Linux 2

EC2 Purchasing Options

Shared Host (default): instances share hardware with other customers
- On-Demand: pay-per-second, no discounts, ideal for short or variable workloads
- Spot Instances: use spare EC2 capacity at high discounts, interruptible workloads only
  - Not suitable for critical web servers or databases
- Reserved Instances: commit 1–3 years for discounted rates, for steady workloads
  - Convertible RIs allow changes to instance type, family, OS, or tenancy
- Capacity Reservations: reserve capacity in a specific AZ or region
  - Guarantees availability, but does not reduce costs
  - Zonal = specific AZ, higher priority; Regional = flexible AZ, lower priority
Dedicated Instances: hardware is shared among your instances only
- Provides extra security isolation
Dedicated Host: full control of a physical EC2 host
- Billed for the host, not individual instances
- Useful for server-bound licenses tied to sockets or cores

Savings Plans (1–3 years)

Commit to a specific amount of compute usage for a discount
Usage beyond the plan is billed at on-demand rates
Plans can cover EC2 only or multiple compute services (EC2, ECS, Lambda)

Shared Responsibility Model for EC2

AWS responsibilities:
- Physical infrastructure and network security
- Isolating instances on shared hardware
- Replacing faulty hardware
- Compliance management
Customer responsibilities:
- OS patching and software updates
- Installing software and utilities inside the instance
- Configuring Security Groups
- Assigning IAM roles to instances and managing IAM users
- Securing data stored on the instance

EC2 Resilience & Scaling: ELB & ASG

Infrastructure – Key Concepts

Resilience: a system’s ability to recover automatically from failures
- AZ-resilient: data replicated within an Availability Zone; can survive individual hardware failures
- Regionally-resilient: data replicated across a region; can survive an entire AZ failure
High Availability (HA): ensures maximum uptime by recovering quickly from failures
- May still have brief downtime, but far shorter than a standard system
- Related to resilience: resilience = ability to self-heal, HA = ability to self-heal quickly
Fault Tolerance (FT): system continues running without any downtime despite component failures
- Typically requires redundant hardware
- FT is more robust than HA
Scalability: ability to adjust resources to match demand
- Overprovisioning: too much capacity → wasted costs
- Underprovisioning: too little capacity → poor performance
- Goal: match resources to load automatically
- Vertical scaling (Scale UP/DOWN): increase/decrease server size
  - Simple, but costly and limited
- Horizontal scaling (Scale OUT/IN): add/remove identical servers
  - Ideal for distributed systems, requires stateless servers and auto-scaling setup
  - Supports HA and resilience
Elasticity: automatic scaling of resources based on load, optimizing cost and performance
Agility: ability to provision or terminate resources very quickly
- Supports experimentation
- Not the same as scalability
Right-sizing: selecting instance types and sizes that fit your workload efficiently
- Avoid overprovisioning; leverage cloud elasticity
- Important before migration and continuously after onboarding

Elastic Load Balancing (ELB)

Load Balancer (LB): distributes traffic across multiple backend EC2 instances
- Provides a single DNS endpoint instead of one per instance
- Can span multiple AZs → improves HA

Health checks: only route traffic to healthy instances
LB Types:
1. Classic (CLB): legacy, not recommended
2. Application (ALB): Layer 7, HTTP/HTTPS traffic
3. Network (NLB): Layer 4, TCP/UDP, very high performance
4. Gateway (GWLB): Layer 3, for network security traffic (GENEVE protocol)

EC2 Auto Scaling Groups (ASGs)

Purpose: provide horizontal scaling and resilience for EC2 workloads
- Automatically launches or terminates instances based on system load
- Replaces unhealthy instances automatically
Configuration parameters:
- MIN_CAPACITY, DESIRED_CAPACITY, MAX_CAPACITY
- ASG maintains the number of instances at DESIRED_CAPACITY
- Scaling policies: adjust DESIRED_CAPACITY automatically
  1. Manual Scaling
  2. Dynamic Scaling: Simple, Step, Target Tracking, Scheduled
  3. Predictive Scaling
Integration with ELB: set the ASG’s instances as targets in the ELB target group for load distribution

Other Compute Services

Serverless Compute

Serverless: run applications or code without managing servers
- AWS handles infrastructure setup, execution, and teardown automatically
- Reduces administrative overhead for developers
Developers focus on writing functions, not configuring servers
Pay-per-use model: you pay only for resources used during execution
- Ideal for intermittent or unpredictable workloads
Many AWS services are serverless or offer serverless modes

Typical Serverless Architecture

AWS Lambda: Function-as-a-Service (FaaS), short-lived, on-demand, scalable code execution
Amazon API Gateway (APIGW): expose APIs (REST or WebSocket) to invoke Lambda functions
Event-Driven Architecture (EDA): trigger actions in response to events (e.g., S3 uploads, CRON schedules)
- Common services: Lambda, APIGW, S3, EventBridge, DynamoDB
Examples:

Scheduled daily jobs (CRON)

Serverless thumbnail generation

Containerized Compute

Containers: package an application with its runtime environment
- Portable, lightweight, predictable behavior on any machine/OS
- Easier to scale than traditional VMs
Docker: popular container technology
- Can run many containers on an EC2 instance

AWS Container Services

ECS / Fargate / EKS / Batch lectures on Udemy
Amazon ECS (Elastic Container Service): runs Docker containers
- Can use EC2 instances or Fargate (serverless containers)
AWS Fargate: serverless container execution; no EC2 management
Amazon ECR (Elastic Container Registry): store Docker images with versioning
- Docker Hub equivalent in AWS
Amazon EKS (Elastic Kubernetes Service): deploy Kubernetes clusters
- K8s orchestrates containers on EC2 or Fargate
AWS Batch: execute batch jobs from Docker images
- Launches resources only during job execution, then shuts them down

Amazon Lightsail

Lightsail: simplified cloud platform for launching virtual servers, storage, DBs, and networking
- Designed for beginners or simple workloads
Pros:
- Easy to use
- Predictable, low pricing
Cons:
- Limited scalability (some HA available)
- Fewer AWS integrations compared to EC2/RDS

Storage Services

Amazon S3 (Simple Storage Service) – CLF-C02

Amazon S3 – Security

User-based access: controlled via IAM policies (allow/deny actions on S3)
Resource-based access:
- Bucket Policies: define which principals can access the bucket and which actions are allowed/denied
  - Supports cross-account and public (external) access
  - IAM Access Analyzer: helps optimize bucket policies and analyze access patterns
- Block Public Access: ON by default; overrides other settings to prevent public access
- Access Control Lists (ACLs): legacy, simple object/bucket-level permissions; avoid if possible
Encryption: protect S3 data from unauthorized access
- In-transit: enforce HTTPS (SSL/TLS)
- At-rest: client-side (CSE) or server-side (SSE) encryption

S3 Static Website Hosting

Can host static websites on S3
- Configure a root document (e.g., index.html)
- AWS provides a default URL based on bucket name
Content must be static (S3 objects only)
Security considerations:
- Disable Block Public Access to make the website accessible externally
- Bucket policy must allow public read; otherwise, 403 Forbidden

Additional S3 Features

Versioning:
- Keeps multiple versions of an object; updating does not overwrite
- Disabled by default
- Deleting creates a deletion marker, not actual deletion → prevents accidental loss
Replication:
- Asynchronous replication from one bucket to another (same-region or cross-region)
- Requires versioning enabled
Storage Classes: trade-offs between cost and access speed
1. Standard – default
2. Infrequent Access (IA) – cheaper storage, pay for access
3. One Zone-IA (1Z-IA) – cheaper, replicated in single AZ
4. Glacier – archival, very low cost, longer retrieval times
  - Instant, Flexible, Deep Archive
- Intelligent Tiering: automatically moves objects based on access patterns
- Lifecycle Policies: move objects to another storage class on a schedule, not usage

Shared Responsibility Model – S3

AWS responsibility:
- Global infrastructure security, durability, availability
- Can sustain simultaneous loss of data in two facilities
- Unlimited storage, encryption support, data separation, no access by AWS employees
- Configuration, vulnerability analysis, compliance validation
Customer responsibility:
- Bucket policies & public access settings
- Data encryption (at rest & in transit)
- Logging & monitoring access
- Versioning & replication setup
- Choosing S3 storage classes

Storage for Private Services (e.g. EC2)

Storing EC2 Data

EC2 instance data is stored in either:
- Instance Store: internal block storage in the EC2 host (ephemeral)
- Network-based storage: persistent external storage
  - Block storage: EBS volumes
  - File storage: EFS or FSx file systems
Every EC2 instance requires an attached boot/root volume
- Usually an EBS volume
- Contains data required for the OS to boot
- Additional storage volumes can be attached

EC2 Instance Store

High-performance hardware disk hosted on the same EC2 host
- Very fast: high IOPS, low latency
Ephemeral storage: data is lost if the instance stops or is terminated
Not all EC2 instance types support instance store volumes

Amazon Elastic Block Store (EBS)

Persistent block storage accessible over the network
- Like an external USB drive for your instance
Characteristics:
- Tied to a single AZ
- Instances can have 0+ EBS volumes (boot volume is typical)
- Usually attached to one instance at a time
- Slower than instance store due to network latency
- Persistence:
  - Boot volumes: usually deleted with instance termination
  - Other volumes: persist by default after instance termination
EBS Snapshots: backups of volumes stored in S3
- Can restore new volumes from snapshots
- Supports cross-AZ and cross-region restores

EC2 Amazon Machine Image (AMI)

AMI = static EC2 template with pre-configured OS, software, and data
Can launch multiple instances from the same AMI (cloning)
AMI Marketplace: vendors sell pre-built AMIs
EC2 Image Builder: automates building, testing, and distributing AMIs

Amazon Elastic File System (EFS)

Network file system for Linux EC2 instances (NFS protocol)
Can be attached to multiple instances in a region
- Shared file system across Linux instances
More expensive than EBS
EFS-Infrequent Access (EFS-IA): cost-optimized storage for infrequently accessed files

Amazon FSx

Provides networked file storage for specific use cases
Main FSx options:
- FSx for Windows: file system for Windows servers
- FSx for Lustre: high-performance Linux file system for HPC, big data, or ML workloads

Shared Responsibility Model – Private Storage

AWS responsibility:
- Infrastructure
- Data replication for EBS, EFS, FSx
- Replace faulty hardware
- Ensure AWS employees cannot access customer data
Customer responsibility:
- Backup/snapshot procedures
- Data encryption
- Managing data on volumes/drives
- Understanding risks of ephemeral storage (Instance Store)

Database & Data Services

Databases 101

Databases help organize stored data into a defined format, making it easier to search, retrieve, and analyze
- You can establish schemas, indexes, and relationships to structure the data
- Similar to turning unorganized notes into a well-structured document with sections, references, and navigation aids, which improves accessibility

Relational Databases = SQL Databases = RDBMS

Use structured tables with predefined schemas, consisting of rows (records) and columns (fields)
- Queries are performed using SQL (Structured Query Language)
Tables behave similarly to spreadsheets, where data can be linked across multiple tables

Relational database table structure (rows and columns with relationships)

Examples
- Open source: MySQL, PostgreSQL, MariaDB
- Commercial: Oracle SQL, Microsoft SQL Server
Two primary optimization approaches
- Row-oriented (OLTP – Online Transaction Processing)
  - Designed for frequent, real-time transactions
  - Examples: Amazon RDS, Amazon Aurora
- Column-oriented (OLAP – Online Analytical Processing)
  - Designed for large-scale analytics and reporting
  - Example: Amazon Redshift

Non-relational Databases = NoSQL Databases

Provide flexible data models without strict schemas
- Do not rely on standard SQL (though some support SQL-like query languages)
- Typically offer better scalability but may trade off some consistency
Examples
- Document databases (e.g., MongoDB)
  - Store data in formats like JSON

{
  "name": "Avatar",
  "year": 2009,
  "genre": "epic science fiction",
  "director": {
    "name": "James Cameron",
    "nationality": "Canada"
  }
}

Graph databases (e.g., Amazon Neptune)
Key-value databases (e.g., Amazon DynamoDB)

Example of a key-value table with primary key and attributes

Databases in AWS

You can install and run database software on virtual machines such as Amazon EC2
- However, this requires managing the infrastructure yourself, which increases administrative effort
Preferred approach: AWS managed database services
- Faster deployment and easier scaling
- Built-in high availability and backup capabilities
- Automatic updates and patching
- Integration with monitoring and other AWS tools
- Less direct control compared to self-managed solutions

AWS SQL Database Services

Amazon RDS (Relational Database Service)
- Row-based (OLTP), included in free tier options
- Runs inside your VPC with your chosen database engine
- Features
  - Read Replicas for distributing read workloads
  - Multi-AZ deployments for failover and high availability
Amazon Aurora
- AWS-developed relational database engine
- Higher performance than standard RDS engines, typically at higher cost
- Offers a serverless option for automatic scaling
Amazon Redshift
- Column-based (OLAP), built for analytics workloads
- Operates within a VPC using clusters
- Serverless mode available
AWS Database Migration Service
- Enables secure database migration with minimal downtime
- Supports migrations across different database engines
- Primarily designed for SQL-based migrations, with limited NoSQL support (e.g., DynamoDB as a target)

Shared Responsibility Model for RDS

AWS responsibilities
- Manage underlying infrastructure and restrict OS-level access
- Apply database and OS patches
- Maintain hardware reliability
Customer responsibilities
- Configure network access (ports, IPs, security groups)
- Manage database users and permissions
- Control public accessibility
- Configure encryption (in transit via SSL and at rest)

AWS NoSQL Database Services

Amazon ElastiCache
- In-memory data store to improve read performance
- Supports Redis and Memcached
Amazon DynamoDB
- Serverless, highly scalable, and low latency
- Includes DAX (DynamoDB Accelerator) for in-memory caching specific to DynamoDB
Amazon DocumentDB
- Managed database compatible with MongoDB
Amazon Neptune
- Designed for relationship-heavy datasets
- Common use cases include recommendation systems, fraud detection, and social platforms
Amazon Timestream
- Optimized for time-based data such as metrics, logs, and IoT telemetry
Amazon QLDB
- Ledger database with immutable and verifiable transaction records
- Being phased out (support ended July 31, 2025), but may still appear in exams
Amazon Managed Blockchain
- Supports decentralized networks using Hyperledger Fabric and Ethereum
- Enables transactions without a central authority

AWS Data Engineering & Data Analytics Services

Amazon EMR
- Managed big data platform using Hadoop and related tools
AWS Glue
- Serverless ETL (Extract, Transform, Load) service
- Includes a Data Catalog for metadata management
Amazon Athena
- Query data directly from S3 using SQL
- Uses schema-on-read (ELT approach)
- Charges based on data scanned per query
Amazon QuickSight
- Business intelligence tool for dashboards and reporting
- Integrates with multiple AWS data sources and uses machine learning for insights

Other Storage Services

AWS Snowball

AWS Snowball
- Physical devices provided by AWS to gather, process, and transport data outside traditional networks
- Designed to be secure, rugged, and portable for use in challenging environments
Use cases
1. Edge computing
  - “Edge” refers to locations with limited or no reliable internet access
    - Examples include transportation systems, remote industrial sites, or offshore operations
2. Offline data transfer
  - Used when moving large volumes of data over the network is impractical or too slow
  - Enables data migration into or out of AWS without relying on internet bandwidth

AWS Storage Gateway

AWS Storage Gateway
- Provides a hybrid storage solution, combining on-premises systems with cloud storage
- Acts as a connection layer between local infrastructure and AWS storage services such as Amazon S3
Common purposes
- Backup data from on-premises systems to AWS
- Expand storage capacity by integrating with cloud storage
Types of Storage Gateway
1. Volume Gateway → block storage integration between on-prem and AWS
2. Tape Gateway → replaces traditional backup tapes with virtual tapes stored in AWS
3. File Gateway → file-based access (e.g., NFS/SMB) backed by Amazon S3

Networking Services

Amazon VPC (Virtual Private Cloud) – CLF-C02

IP Addresses in AWS

IPv4 & IPv6 refresher from the Tech Fundamentals course: IP Address Space
When an AWS resource (like an EC2 instance) is launched in a VPC subnet:
- It is assigned a static Private IPv4 address automatically, usable internally within the subnet for routing.
  - Additional private IPv4 addresses can be assigned if needed.
  - Stopping and starting the instance does not change the private IPv4 addresses.
- It may receive a dynamic Public IPv4 address if launched in a public subnet.
  - Stopping and starting the instance will change this public address.
- It can be assigned an Elastic IP (EIP), which is a fixed public IPv4 address, if placed in a public subnet.
  - Stopping and restarting the instance does not affect the EIP.
- Multiple IPv6 addresses can be assigned and are globally routable.
  - Requires the subnet to have an IPv6 CIDR block configured.
Billing:
- All public IPv4 addresses incur charges ($0.005 per hour)
  - This includes Elastic IPs: if allocated but unused, you are still billed.
  - Free Tier covers 750 hours per month.
    - Equivalent to running one instance continuously for a month with a single public IPv4 or EIP.
- IPv6 addresses and private IPv4 addresses are free.

VPC Components

VPC subnet: a division of the VPC within a specific Availability Zone.
- AWS resources can be deployed in subnets depending on their access needs.
- Private subnet: no internet access by default.
- Public subnet: reachable from the internet.
- Route Table (RT): manages routing within the subnet and outbound traffic.
Internet Gateway (IGW): provides internet access for resources in public subnets.
Network Address Translation (NAT): enables resources in private subnets to access the internet.
- NAT instance: EC2-based, customer-managed solution.
- NAT Gateway (NATGW): AWS-managed service.
Firewalls: control inbound and outbound traffic.
- NACL (Network Access Control List): stateless, operates at the subnet level.
- Security Group (SG): stateful, operates at the instance or ENI level.
VPC Flow Logs: record network metadata (traffic summaries) without capturing packet contents.

Hybrid Networking Services and Products

VPC Peering: direct private connection between two VPCs with distinct IP ranges.
- Non-transitive: if VPC A peers with B and B peers with C, A cannot access C automatically.
VPC Endpoint (VPCE): allows private access to public AWS services from within the VPC.
- Supports Gateway Endpoints (GWEs) and Interface Endpoints (IEs).
AWS PrivateLink: establishes a private connection to services in third-party VPCs.
- Powers VPC interface endpoints (IEs).
AWS Site-to-Site VPN: encrypted VPN over the public internet connecting on-premises networks with AWS.
AWS Client VPN: OpenVPN-based connection from a device to a VPC over the internet.
AWS Direct Connect (DX): dedicated private link (physical connection) between on-premises networks and AWS.
- Provides high speed but installation usually takes several weeks.
VPC Transit Gateway (TGW): connects multiple VPCs and on-premises networks.
- Transitive and scalable, simplifying complex network topologies.

AWS Global Infrastructure Services

Global Applications

Global application: an application deployed across multiple geographic locations.
- Example: deploying an application across several AWS regions or edge locations.
- Refresher: AWS Global Infrastructure
Benefits:
- Lower latency
  - Users connecting to infrastructure closer to them experience faster response times.
  - Deploying infrastructure in multiple locations increases the likelihood of proximity to users.
- Resilience and Disaster Recovery (DR)
  - If one region experiences downtime, other regions continue operating, keeping the app available.
  - Global distribution also reduces the risk from targeted attacks.
Challenges:
- Higher costs
  - More infrastructure locations result in higher expenses.
- Complex management
  - Requires configuring global services, data replication, redundancy, and failover procedures.
In general, making an application global is worthwhile when improved performance is needed or user numbers grow significantly.

App deployment in AWS	High Availability?	Low latency globally for reads?	Low latency globally for writes?
Single-region, single-AZ	No	No	No
Single-region, multi-AZ	Yes	No	No
Multi-region, Active-Passive	Yes	Yes	No
Multi-region, Active-Active	Yes	Yes	Yes

Amazon Route 53

Global DNS service
- Refresher: Amazon R53 (Route 53) 101
Allows routing users to different infrastructure endpoints based on DNS queries:
- Useful for directing users to the nearest infrastructure (reduces latency)
- Supports Disaster Recovery by routing to alternate resources if the primary is unavailable.
Route 53 routing policies:
- Simple Routing: always routes to a single resource, no health checks.
- Failover Routing: monitors primary resource health; routes to secondary if primary fails.
- Weighted Routing: distributes traffic proportionally across multiple resources.
  - Example: 70% to server A, 20% to B, 10% to C.
- Latency Routing: routes users to the resource with the lowest latency.

Services Leveraging AWS Global Network

Amazon CloudFront (CF): AWS global content delivery network (CDN)
- Caches content at edge locations.
- Improves read performance, reduces latency, and enhances user experience.
S3 Transfer Acceleration: accelerates S3 uploads and downloads via AWS global network.
- Client → edge location → AWS global network → S3
- Reduces dependence on the public internet and improves global transfer speed.
AWS Global Accelerator: directs client traffic through AWS global network to app infrastructure.
- Client → edge location → AWS global network → AWS-hosted application
- Enhances app availability and performance over TCP/UDP.
- Unlike CloudFront, it does not cache content.

Edge Deployments of AWS Infrastructure

AWS Outposts: on-premises extension of AWS services.
- Deploy racks in your data center to run AWS services locally (EC2, RDS, S3, etc.).
- Uses the same APIs and tools as public AWS, enabling hybrid deployments.
- Benefits: low latency, local data storage, smoother migration between cloud and on-prem.
- Responsibility: customer manages physical security (power, cooling, etc.).
- Businesses using both Outposts and public AWS infrastructure operate a hybrid cloud model.
AWS Local Zones: bring AWS services closer to users in specific metro areas.
- Deploy compute, database, and storage resources near end-users.
- Suitable for latency-sensitive applications far from main AWS AZs.
- Users do not own or manage the local data center.
- Example: us-east-1 has multiple AZs plus Local Zones in Boston, Chicago, Miami.
AWS Wavelength: deploy AWS resources within 5G networks.
- Designed for ultra-low latency applications leveraging mobile 5G networks.
- Operates within infrastructure owned by telecom or communication service providers.

Other AWS Services

IaC & Deployment Services

Infrastructure as Code (IaC) Services

AWS CloudFormation (CFN): AWS-native IaC service using JSON or YAML templates.
- Refresher: AWS CloudFormation (CFN) 101
- AWS Infrastructure Composer: visual tool to design and generate CFN templates.
AWS Cloud Development Kit (CDK): define AWS infrastructure programmatically.
- Use popular programming languages such as Python, JavaScript/TypeScript, Java, or .NET to define cloud resources.
- Code is converted into a CloudFormation template for deployment.

AWS Elastic Beanstalk (EB)

Platform-as-a-Service (PaaS) designed for developers.
- Deploy applications without directly managing underlying infrastructure.
- EB provisions and manages AWS resources like EC2 instances, Auto Scaling Groups, Application Load Balancers, and RDS databases.
Supports multiple programming languages and Docker images.
- Applications follow a standard architecture, e.g., 3-tier web app (ALB + EC2 + RDS).
EB handles:
- Instance OS configuration
- Deployment strategies
- Scaling and capacity provisioning
- Load balancing
- Application health monitoring

AWS Systems Manager (SSM)

Scale management of systems across cloud and on-premises.
- Supports EC2 instances and on-premises servers (hybrid environment).
- Works with Linux, Windows, MacOS, and Raspberry Pi OS.
To use SSM Fleet Manager, the SSM Agent must be installed on the system.
- Pre-installed on Amazon Linux AMI and some Ubuntu AMIs.
Key SSM features:
- Automate updates and patching for compliance
- Run commands across multiple servers
- Session Manager: remote terminal access without SSH or open ports
  - Provides enhanced security and audit logging to S3 or CloudWatch
- Parameter Store: store configuration values and secrets (environment variables, credentials)

**AWS Code* Services**

AWS CodeCommit: Git repository for source code (version control)
- Discontinued; AWS recommends using GitHub, GitLab, or Bitbucket.
- Version control enables collaboration and tracks code changes.
AWS CodeBuild: build and test code within AWS, producing deployable artifacts.
AWS CodeDeploy: deploy and update applications on EC2 instances or on-premises servers.
AWS CodePipeline: orchestrates CI/CD pipelines.
- Integrates code repositories (CI) with CodeBuild and CodeDeploy (CD) to automate deployment.
- Example: automatically update Elastic Beanstalk environments when code changes are pushed to production.

AWS CodeArtifact: repository for software packages and dependencies.
- Stores and retrieves libraries for development projects.
- Compatible with dependency management tools like Maven, Gradle, npm, yarn, and pip.

Decoupling App-Integration Services

Application Integrations and Communication Patterns

Application integrations describe how two or more applications exchange data or interact.
Common communication patterns:
- Synchronous communication: sender waits for a response or acknowledgment from the receiver.
- Asynchronous communication: sender sends data and continues without waiting; acknowledgments happen separately if needed.
- Event-driven architecture (EDA): events trigger actions in applications; applications are loosely coupled and react to events independently.
Decoupling applications: converting synchronous interactions into asynchronous ones.
- Applications operate independently without waiting for each other.
- Allows apps to scale independently and handle failures in isolation.
- Decoupling is often implemented using messaging services like queues and topics.

AWS Application Messaging Services

Amazon SQS (Simple Queue Service)

Managed message queue service (serverless).
Queue: one-to-one communication.
- FIFO queue: preserves order, prevents duplicates, limited throughput.
- Standard queue: best-effort ordering, may contain duplicates, highly scalable.

Producers send messages to the queue.
- Producers don’t need to wait for consumers → asynchronous communication.
- Messages can persist in the queue for up to 14 days.
Consumers read and process messages.
- Once a message is consumed, it is removed from the queue.

Amazon SNS (Simple Notification Service)

Managed topic-based messaging service (serverless).
Topic: one-to-many communication (Pub/Sub pattern).
- Unlike queues, messages are not retained.

A publisher sends a message to the topic.
The topic forwards messages to one or more subscribers.
- Subscribers can include Email, Lambda, SQS, HTTP endpoints, or mobile devices.
Example: an EC2 instance termination generates an event; SNS can trigger notifications via email, SMS, or Lambda functions.

Amazon MQ

Managed message broker service for Apache ActiveMQ and RabbitMQ.
- Not serverless; it runs dedicated message broker servers.
- Supports queues and topics.
Compatible with open messaging protocols like MQTT and AMQP.

Amazon Kinesis

Real-time streaming service for big data ingestion, storage, and processing.
- Stream: time-ordered sequence of data with a retention window (default 24 hours).
Components:
- Kinesis Data Streams: ingest large volumes of streaming data for processing.
- Kinesis Video Streams: ingest video or video-like data streams.
- Kinesis Data Firehose: previously part of Kinesis, now a separate service; loads streaming data into storage services like S3 or Redshift.
- Kinesis Analytics: previously part of Kinesis, now Amazon Managed Service for Apache Flink; used for real-time stream processing and enrichment.

Cloud Monitoring Services

Amazon CloudWatch (CW)

AWS’s default monitoring and alerting service for metrics, logs, alarms, and events.
- Refresher: Amazon CloudWatch (CW) 101
Key components:
- CloudWatch Logs: collect log data from multiple sources.
  - Examples: EC2 instances, on-premises servers, Lambda functions, ECS tasks.
- CloudWatch Metrics: monitor performance and billing metrics for AWS resources.
  - Examples: CPUUtilization, NetworkIn, NumberOfObjects.
- CloudWatch Alarms: trigger notifications or actions when metrics cross thresholds.
  - Can invoke EC2 Auto Scaling, SNS notifications, or Lambda functions.
  - Example: set a billing alarm to alert when costs exceed a limit.
- CloudWatch Events: previously used for reacting to events or scheduling actions.
  - Amazon EventBridge has now replaced CW Events, offering more advanced features, such as aggregating events from multiple AWS accounts.

Additional Monitoring and Observability Services

AWS CloudTrail (CT): records API calls in your AWS account.
- Useful for auditing who did what and when.
- CloudTrail Insights: automatically analyzes events to detect unusual activity.
AWS X-Ray: traces requests across distributed applications.
- Provides visibility into infrastructure and insights into application performance.
Amazon CodeGuru: uses machine learning to optimize code and performance.
- CodeGuru Reviewer: performs automated code reviews (static analysis).
- CodeGuru Profiler: provides recommendations for improving app performance before or after deployment.
AWS Health Dashboard: monitors the status of AWS services and allows subscription to RSS notifications.
- Service Health: shows historical status of all AWS services across regions (e.g., outages).
- Your Account: tracks AWS events that specifically affect your resources (e.g., maintenance schedules).

Security & Compliance Services

Network Protection Services

AWS Shield: provides automatic protection against Distributed Denial-of-Service (DDoS) attacks.
- Shield Advanced adds premium 24/7 support and additional features.
AWS WAF (Web Application Firewall): filters incoming traffic at the application layer (Layer 7).
- Protects against common web exploits such as SQL injection and XSS attacks.
AWS Network Firewall: secures an entire VPC from network-level threats.
- Resource-level protection is handled by Security Groups (SG), subnet-level by NACLs, and VPC-level by Network Firewall.
AWS Firewall Manager: centrally manage security rules across multiple AWS accounts.
- Applies rules for SGs, WAF, and Shield across accounts in an AWS Organization.
- Rules automatically apply to new and existing resources, as well as to new accounts.

Penetration Testing in AWS

Penetration testing: intentionally testing your own systems to identify security weaknesses.
AWS permits penetration testing on specific services without prior approval:
- EC2, NAT Gateways, ELB, RDS, CloudFormation, Aurora, API Gateway, Lambda, Lightsail, Elastic Beanstalk.
AWS prohibits certain tests that could affect AWS infrastructure:
- DNS zone walking via Route 53 hosted zones.
- DoS, DDoS, or simulated DoS/DDoS attacks (including port, protocol, or request flooding).
For other simulated security events, contact aws-security-simulatedevent@amazon.com.

Encryption Services

AWS KMS (Key Management Service): manage encryption keys for data at rest.
- Default service used by many AWS resources.
- Keys can be customer-managed or AWS-managed.
AWS CloudHSM: dedicated hardware to store encryption keys; AWS does not manage keys.
- HSM = Hardware Security Module; provides a higher level of security than KMS.
AWS Certificate Manager (ACM): create and manage SSL/TLS certificates.
- Encrypts data in transit (e.g., HTTPS, FTPS, SMTPS).
AWS Secrets Manager: store and manage sensitive application secrets (e.g., database passwords).
- Supports automatic secret rotation and cross-region replication.

Threat Detection and Vulnerability Services

Amazon GuardDuty: machine learning-based threat detection for your AWS account.
- Detects suspicious activity in VPC, DNS, and CloudTrail logs.
Amazon Inspector: scans compute resources for software vulnerabilities (EC2, ECR images, Lambda).
Amazon Macie: identifies sensitive data, such as PII, in S3 buckets.
Amazon Detective: helps trace root causes of security issues or anomalies.
- Integrates findings from GuardDuty, Macie, and other sources.
IAM Access Analyzer: identifies resources shared outside trusted zones.
- Generates findings for S3 buckets, IAM roles, KMS keys, etc., helping refine access policies.

Compliance and Audit Services

AWS Artifact: portal to access compliance reports and agreements (PCI, ISO, HIPAA, etc.).
AWS Config: tracks configuration changes and ensures compliance against rules.
AWS CloudTrail: records API activity in your AWS account for auditing.
AWS Security Hub: centralizes security findings from multiple accounts.
- Aggregates results from Config, Macie, GuardDuty, and others.
AWS Abuse: report resources used for abusive or illegal activity (spam, DDoS, malware, copyright violations).
- Contact via form: https://support.aws.amazon.com/#/contacts/report-abuse
- Email: abuse@amazonaws.com

Migration Services

Cloud Migration Strategies: The 7 Rs

Retire: shut down resources that are no longer needed.
- Reduces costs, minimizes maintenance, and decreases potential attack surfaces.
Retain: leave certain workloads on-premises or in their current environment.
- Security, compliance, or performance requirements may prevent migration.
- If migrating offers no clear business value, it may be better to keep it as-is.
Relocate: move workloads “as-is” from on-premises to cloud, or between cloud environments.
- Examples: move EC2 instances to a different VPC, region, or account.
- Transfer servers from VMware on-prem to VMware Cloud on AWS.
Rehost (“Lift and shift”): move workloads to AWS without altering architecture.
- Quick migration with minimal changes.
- Tools: AWS Application Migration Service (MGN).
Replatform (“Lift and reshape”): keep core architecture but implement some cloud optimizations.
- Examples: migrate on-prem SQL databases to RDS, or apps to Elastic Beanstalk.
- Benefits: managed services, serverless components, and performance enhancements.
Repurchase (“Drop and Shop”): switch to a new product or SaaS solution during migration.
- Short-term costs may be higher, but deployment is faster.
- Examples: migrate on-prem CMS to Drupal, on-prem CRM to Salesforce.
Refactor (“Re-architect”): redesign apps to fully leverage cloud-native features.
- Benefits: scalability, performance, agility, security.
- Drawbacks: high cost, long timelines, significant engineering effort.
- Examples: break a monolith into microservices, move apps to serverless, store media in S3.

AWS Migration Services

AWS Application Discovery Service: collects inventory and dependency data from on-premises environments.
- Provides insights for planning migrations.
- Supports agentless and agent-based discovery.
AWS Migration Evaluator: creates a data-driven business case for migration.
- Assesses current state, defines target cloud architecture, and builds a migration plan.
- Agentless collector captures on-prem infrastructure, dependencies, and utilization to create a baseline.
AWS Application Migration Service (MGN): lift-and-shift solution for migrating apps to AWS.
- Formerly CloudEndure Migration; replaces AWS Server Migration Service (SMS).
- Installs Replication Agent on on-prem servers to continuously replicate to AWS staging, then cutover for production.
AWS DataSync: automates data movement between on-prem and AWS.
- Supports online migrations.
- Can maintain incremental synchronization after the initial full data load.
AWS Database Migration Service (DMS): migrate databases to/from AWS.
- Primarily for SQL databases; DynamoDB supported as a target for NoSQL.
AWS Migration Hub: central dashboard to monitor and manage migrations.
- Aggregates inventory and migration status from services like MGN and DMS.
- Migration Hub Orchestrator provides reusable migration templates for lift-and-shift projects.

Machine Learning (ML/AI) Services

AI & Machine Learning (ML) 101

Quick intro to AI and ML: AI 101
To go deeper, the AWS AIF-C01 certification covers AI/ML basics, buzzwords, and AWS-specific applications.
For the Cloud Practitioner (CLF-C02) exam, just a high-level understanding of AWS-managed AI services is sufficient.

AWS-managed AI Services

Amazon Rekognition: detect objects, scenes, and faces in images/videos.
- Examples: face recognition, labeling objects, celebrity detection.
Amazon Comprehend: Natural Language Processing (NLP).
- Examples: extract names from text, analyze sentiment (happy, sad, neutral).
Amazon Textract: extract structured text and data from documents.
- Example: read totals and VAT from scanned receipts automatically.
Amazon Transcribe: convert speech to text (ASR).
- Example: captions, transcribing phone calls.
Amazon Polly: convert text into natural-sounding speech (Text-to-Speech).
Amazon Translate: translate text between languages.
Amazon Kendra: intelligent, ML-powered search engine.
- Example: find related keywords or concepts across documents.
Amazon Lex: build chatbots that understand user intent and perform actions.
- Not the same as generative AI/LLM chatbots. Works like Alexa or customer service bots.
Amazon Connect: cloud-based contact center platform.
Amazon Personalize: real-time personalized recommendations.
- Example: powering Amazon.com product suggestions.
Amazon SageMaker: end-to-end platform for custom ML models.
- Collect data, train models, deploy to production.
- Main focus of MLA-C01 and MLS-C01 certifications.
Amazon Bedrock: marketplace for Foundation Models (FMs) for generative AI.
- Focus of AIF-C01 certification for cloud AI/ML concepts.

Billing & Support Services

General Overview of AWS Cloud Costs

Pricing Models in AWS

Pay-as-you-go / Pay-per-use: pay for only what you use.
- Advantages: flexible, scalable, meet demand changes quickly.
- Default model unless specified otherwise.
Reserved Capacity: reserve resources in advance to get discounts.
- Advantages: predictable budgeting, compliance with long-term requirements.
- Less flexible: unused reserved capacity may be wasted.
- Available for: EC2, DynamoDB, ElastiCache, RDS, Redshift.
Volume-based discounts: pay less when using more resources.
- Example: multiple accounts in an AWS Organization.
Economies of scale: as AWS grows, they can pass cost savings to customers.

Free Tier and Trials

12-month Free Tier:AWS Free Tier
- Example: run a t2.micro EC2 instance or initial S3 GET requests free.
- Can potentially use free tier indefinitely by rotating accounts.
Free trials: certain services for 1 month.
Always free services: IAM, VPC, some resource provisioning may incur costs (e.g., CloudFormation stacks, Elastic Beanstalk, Auto Scaling).

Compute, Storage & Network Pricing

AWS Cloud Pricing Model overview: What is AWS?
Tip: Search “<AWS_SERVICE> pricing” for official AWS pricing docs. Useful for quick cost evaluation.

Billing and Cost Management Tools

Tracking Costs

AWS Billing and Cost Management Dashboard: overview of costs and Free Tier usage.
AWS Resource Groups: group resources for easy search and tracking.
- Tags: aws: (auto-generated) or user: (user-defined).
- Cost Allocation Tags: track costs by resource.
AWS Cost and Usage Reports: detailed CSV reports, can integrate with Athena, Redshift, QuickSight.
AWS Cost Explorer: visualize and forecast usage and costs (up to 12 months).

Optimizing Costs

AWS Savings Plans: commit to long-term usage of compute for discounts.
1. EC2 Savings Plan – specific EC2 family in a region.
2. Compute Savings Plan – EC2, Fargate, Lambda flexibility.
3. Machine Learning Savings Plan – SageMaker instances.
AWS Compute Optimizer: ML-powered recommendations for optimal compute usage.
AWS Trusted Advisor: analyzes account for cost optimization, security, performance.

Estimating, Planning, and Monitoring Costs

AWS Pricing Calculator: estimate architecture costs: calculator.aws
CloudWatch Billing Alarm: alerts when actual costs exceed threshold.
AWS Budgets: track costs/usage and trigger alarms. Types: Usage, Cost, Reservation, Savings Plans.
AWS Cost Anomaly Detection: ML detects unusual costs/usage.
AWS Service Quotas: monitor service limits to avoid throttling or high costs.

AWS Support Plans

Ordered from cheapest to most expensive:

Basic (Free)
- 24/7 Customer Service & Community access
- 7 core Trusted Advisor checks
- Personal Health Dashboard access
Developer
- Everything in Basic
- Business-hours email support
- Response: General <24h, System impaired <12h
Business
- Everything in Developer
- Full Trusted Advisor checks + API access
- 24/7 phone, chat, email support
- Production response: impaired <4h, down <1h
- Infrastructure Event Management (additional fee)
Enterprise On-Ramp
- Everything in Business
- Technical Account Managers (TAMs)
- Concierge Support (billing & best practices)
- Event Management, Well-Architected & Operations Reviews
- Business-critical system down: <30 minutes
Enterprise
- Mission-critical workloads
- Everything in Business
- Dedicated TAMs, Concierge Team, Event Management
- AWS Incident Detection & Response (additional fee)
- Business-critical system down: <15 minutes

Account Management Services

AWS Accounts – Best Practices

Use AWS CloudFormation (CFN) to deploy stacks across accounts and regions consistently and reliably.

Security

Follow IAM guidelines: enforce MFA, least-privilege principle, strong password policies, and password rotation.
Send service and access logs to CloudWatch Logs or S3.
Enable AWS CloudTrail to record API calls made within the account.
Use AWS Config to track resource configurations and compliance over time.
If an account is compromised: change the root user password, rotate or delete all keys, and contact AWS support.

Billing

Use Tags and Cost Allocation Tags for tracking and cost management.
Apply these practices to both single accounts and multi-account organizations.

Multi-Account Management in AWS

Multi-Account Strategies

Separate accounts by department (e.g., dev, sales, HR) or cost center.
Separate accounts by environment (DEV/TEST/PROD).
Separate accounts for regulatory compliance (via Service Control Policies, SCPs).
Separate accounts for resource isolation beyond VPC boundaries.
Separate accounts for centralized functionalities (e.g., identity, monitoring, logging).
Separate accounts to manage per-account service limits.

AWS Organizations

Service for multi-account management: master account + member accounts.

Cost Benefits

Consolidated Billing: one bill, single payment method; master account pays for all.
Volume discounts: aggregated usage across accounts.
Pooling Reserved EC2 instances: cost-effective.

Management

Automate AWS account creation via API.
Organize accounts into Organizational Units (OUs).
Control privileges with Service Control Policies (SCPs):
- SCPs are JSON policies applied at the OU or account level.
- SCPs restrict member accounts but cannot restrict the master account.
- Root users of member accounts are also restricted by SCPs.
- Access requires both account policies and applicable SCPs to allow it.

Best Practices

Many single-account best practices apply to multi-account setups.
Use tagging standards for billing and cost tracking.
Enable CloudTrail on all accounts and centralize logs to a single S3 account.
Send CloudWatch Logs to a central logging account.

Other Account Management Services

AWS RAM (Resource Access Manager): manage cross-account resource sharing to avoid duplication (e.g., DBs, VPC subnets, TGWs, EC2 dedicated hosts).
AWS Service Catalog: self-service portal for authorized resources.
- Admins pre-define CloudFormation stacks.
- Users can only launch stacks they have IAM permissions for.
AWS Control Tower: simplifies setup, orchestration, and governance of multi-account environments.
- Ensures accounts follow best practices.
- Integrates AWS Organizations, Service Catalog, IAM, and other services.

Disaster Recovery (DR) Services

Disaster Recovery (DR) and Business Continuity (BC)

Active/Passive DR Strategy

One site is active (handling traffic), the other is passive (standby).
Passive site is activated only if the active site fails.

Active/Active DR Strategy

Multiple sites are active simultaneously, sharing traffic load.
If one site fails, traffic is rerouted automatically to the other active sites.

The Four DR Strategies in AWS Cloud

Trade-off: cost vs. speed of recovery.

From cheapest/slowest to most expensive/fastest:

Backup and Restore: store snapshots/backups; restore after a disaster.
Pilot Light: core application functions ready; minimal resources running.
Warm Standby: full application deployed at reduced capacity, ready to scale.
Multi-Site/Hot-Site: full application running at full capacity; can handle production traffic immediately.

DR Services

AWS Backup: centralized management and automation of backups across AWS services.
- On-demand or scheduled backups.
- Supports point-in-time recovery (PITR).
- Supports cross-region and cross-account backups via AWS Organizations.
AWS Elastic Disaster Recovery (DRS): recover physical, virtual, and cloud servers quickly into AWS.
- Formerly CloudEndure Disaster Recovery.
- Continuous block-level replication of servers.

More Services

Media, Mobile & Webapp Support Services

Amazon WorkSpaces (Desktop-as-a-Service / DaaS): provision Windows/Linux desktops.
- Spins up an instance that hosts an OS desktop (accessible like a laptop). Deploy close to users for better performance and lower latency.
- Eliminates management of on-premises VDI (Virtual Desktop Infrastructure).
Amazon AppStream 2.0: application streaming service that loads desktop apps in a web browser.
- Does not require a VDI.
- Example: stream Blender, Paint, or other desktop apps directly in a browser.

AWS IoT Core: connects IoT devices to AWS cloud and handles trillions of messages.
- IoT = Internet of Things (e.g., cars, smart doors, AC, TVs).
Amazon Elastic Transcoder: converts media files stored in S3 into other formats.
AWS AppSync: serverless GraphQL APIs for storing and syncing data across mobile and web apps in real time.
AWS Amplify: develop and deploy scalable full-stack web and mobile applications.
- Automatically provisions infra for authentication, storage, APIs (REST or GraphQL), CI/CD, Pub/Sub, analytics, AI/ML, monitoring.
AWS Device Farm: test web and mobile apps on real AWS-managed devices (not emulators).

Other AWS Services

AWS Infrastructure Composer: visually design and build AWS infrastructure.
- Builds infra in a GUI and auto-generates CloudFormation templates.
- Can visualize existing CFN/SAM templates.
AWS Fault Injection Simulator (FIS): run fully-managed fault injection experiments on AWS workloads.
- Chaos engineering tool to stress infra and uncover bugs or bottlenecks.
AWS Step Functions: serverless state machines to orchestrate workflows across AWS services.
- Supports human input and Lambda triggers for complex workflows (e.g., order processing, data pipelines).
AWS Ground Station: manage satellite communications and operations.
- Provides fast satellite data downloads to AWS for use cases like weather forecasting or broadcasting.
Amazon Simple Email Service (SES): automate email sending.
Amazon Pinpoint: scalable 2-way marketing communications.
- Supports email, SMS, push, voice, in-app messaging.
- Can run bulk campaigns, track delivery, and handle responses.
AWS OpsWorks: configuration management with Chef and Puppet.
- Automates server configuration and deployment across EC2 or on-premises.
- Discontinued service.
AWS Customer Carbon Footprint Tool: track and forecast carbon emissions from AWS usage to meet sustainability goals.

Final Note: Services not covered in your study notes are likely exam distractors. There are over 200 AWS services, so focus on the commonly tested ones.