Keywords

"millisecond latency" + database

ElastiCache or DynamoDB DAX

"sub-millisecond"

ElastiCache

"burst traffic in seconds"

Lambda — never EC2 Auto Scaling

"real-time streaming"

Kinesis — never SQS

"low latency global users"

CloudFront CDN

"cheapest storage, rarely accessed"

S3 Glacier or S3 Glacier Deep Archive

"infrequent access + reproducible"

S3 One Zone-IA

"infrequent access + NOT reproducible"

S3 Standard-IA

"unpredictable access pattern" + S3

S3 Intelligent Tiering

"minimize cost at idle"

Aurora Serverless + Lambda + Fargate

"fault tolerant flexible workload"

EC2 Spot Instances

"long term commitment steady usage"

EC2 Reserved Instances or Savings Plans

"over-provisioning" + dynamic scaling

Target Tracking Scaling

"predictable traffic pattern"

Scheduled Scaling

"maintain a target metric CPU%"

Target Tracking Scaling

"variable steps based on breach size"

Step Scaling

"survive AZ failure need min X instances"

Set minimum to X per AZ multiplied by number of AZs

"scale Kubernetes pods"

Horizontal Pod Autoscaler — needs Metrics Server

"scale Kubernetes nodes fast"

Karpenter

"scale Kubernetes nodes standard"

Cluster Autoscaler

"spiky traffic low idle cost containerized"

ECS on Fargate + Aurora Serverless

"in-flight" or "in-transit"

SSL/TLS — rds.force_ssl + Root CA cert

"at rest AWS manages keys"

SSE-S3 or SSE-KMS

"at rest customer manages keys"

SSE-C or Client-Side Encryption

"at rest SQL Server RDS"

TDE (Transparent Data Encryption)

"tampered with" or "log integrity"

CloudTrail Log File Validation

"key rotation + audit key usage"

AWS KMS

"encrypt before sending to S3"

Client-Side Encryption with KMS key or master key

"compliance reports SOC PCI"

AWS Artifact

"SQL injection" or "XSS attacks"

AWS WAF — associate to ALB or CloudFront

"WAF across multiple accounts"

AWS Firewall Manager

"DDoS basic free automatic"

AWS Shield Standard

"DDoS advanced 24/7 support"

AWS Shield Advanced

"traffic flow inspection + filtering VPC"

AWS Network Firewall

"suspicious behavior" or "unauthorized access"

Amazon GuardDuty

"vulnerability scanning" or "CVEs"

Amazon Inspector

"sensitive data" or "PII discovery in S3"

Amazon Macie

"root cause after incident"

Amazon Detective

"decouple architecture"

SQS

"process once one consumer"

SQS

"fan out push to multiple consumers"

SNS

"ordered + replay + real-time"

Kinesis Data Streams

"event driven trigger on event"

Amazon EventBridge

"throttling errors buffer the load"

SQS queue in front of Lambda

"dedicated private connection consistent bandwidth"

AWS Direct Connect

"on-prem to. Private connection over internet cheap"

AWS Site-to-Site VPN

"outbound only IPv6 private subnet"

Egress-Only Internet Gateway

"outbound only IPv4 private subnet"

NAT Gateway

"private access to AWS service no internet"

VPC Gateway Endpoint for S3 and DynamoDB — Interface Endpoint for others

"connect multiple VPCs centrally"

Transit Gateway

"latency-based routing across regions"

Route 53 Latency Routing Policy

"distribute traffic evenly across AZs"

Cross-Zone Load Balancing

"path-based routing /api/x"

ALB Listener Rules path conditions

"host-based routing by domain"

ALB Listener Rules host conditions

"layer 4 TCP extreme performance"

Network Load Balancer NLB

"shared file system Linux multiple EC2"

Amazon EFS

"shared file system Windows SMB"

FSx for Windows File Server

"HPC rendering high performance parallel FS"

FSx for Lustre Persistent type

"block storage single EC2"

Amazon EBS

"on-premises hybrid storage NFS or SMB to cloud"

Storage Gateway File Gateway

"on-premises block storage iSCSI"

Storage Gateway Volume Gateway

"on-premises tape backup replacement"

Storage Gateway Tape Gateway

"accelerate online data transfer to AWS"

AWS DataSync

"migrate large data offline petabytes"

AWS Snowball Edge

"managed SFTP FTP FTPS into S3 or EFS"

AWS Transfer Family

"protect S3 from accidental delete"

S3 Versioning + MFA Delete

"S3 high request rate performance"

Do nothing — S3 auto-scales since 2018

"large file upload S3 over 100MB"

S3 Multipart Upload API

"flexible schema NoSQL global scale"

Amazon DynamoDB

"DynamoDB read cache microsecond"

DynamoDB DAX

"relational complex SQL OLTP"

Amazon RDS

"analytics data warehouse OLAP"

Amazon Redshift

"query S3 data directly no loading"

Amazon Athena

"catalog S3 data discover schema" - Automatically scan S3 files and figure out what's in them

AWS Glue Crawler → Glue Data Catalog

"ETL transform data CSV to Parquet"

AWS Glue ETL Job

"visualize query results BI dashboard"

Amazon QuickSight

"in-memory cache speed up RDS reads"

ElastiCache Redis or Memcached

"Redis vs Memcached"

Redis = persistence + pub/sub. Memcached = simple multi-threaded

"graph database"

Amazon Neptune

"time series IoT data"

Amazon Timestream

"migrate database to AWS"

AWS Database Migration Service DMS

"multi-account data lake role-based access"

AWS Lake Formation

"query CloudTrail logs SQL directly no setup"

CloudTrail Lake

"per-process per-thread CPU memory RDS"

RDS Enhanced Monitoring

"Aurora WITH replica primary fails"

CNAME flips to replica promoted to primary in 30 seconds

"Aurora single instance NO replica fails"

Best-effort restart in same AZ — not guaranteed

"Aurora Serverless AZ fails"

Automatically recreates in different AZ

"temporary credentials cross-account"

AWS STS AssumeRole

"SSO workforce corporate directory"

IAM Identity Center + Active Directory Connector

"mobile web app user authentication"

Amazon Cognito User Pools

"EC2 needs to call other AWS services"

IAM Role on EC2 — never store access keys on instance

"multiple AWS accounts governance"

AWS Organizations + SCPs

"short-lived DB authentication token"

IAM DB Authentication + AWSAuthenticationPlugin

"KMS decrypt from Lambda"

1. “kms:decrypt” on Lambda execution role AND

2. KMS key policy says that role can be executed

"image content moderation AI"

Amazon Rekognition

"private Rekognition no public internet"

Interface VPC Endpoint for Rekognition

"API call logging audit"

AWS CloudTrail

"resource performance metrics alarms"

Amazon CloudWatch

"container metrics EKS ECS logs"

CloudWatch Container Insights

"EC2 instance metadata from inside instance"

http://169.254.169.254/latest/meta-data/