SOA-C03: AWS Monitoring, Security, and Storage: Key Concepts and Tools

CloudWatch Agent

collects detailed system metrics and logs from EC2, ECS, and EKS nodes for CloudWatch.

CloudWatch Composite Alarms

combine multiple alarms into a single evaluation to reduce alert noise.

CloudWatch Dashboards

customizable metric dashboards shared across accounts and Regions.

CloudWatch Metric Filters

extract structured data from CloudWatch Logs to create actionable metrics.

CloudTrail Event History

records API calls for auditing and troubleshooting access issues.

CloudTrail Organization Trails

central logging of API activity across all accounts for compliance.

CloudTrail Lake

queryable event storage that allows SQL-style analysis of audit logs.

EventBridge Event Buses

routes and transforms events between AWS services and custom applications.

EventBridge Rules

filter events and trigger targets like Lambda, SQS, SNS, or SSM Automation.

EventBridge Pipes

connects event sources like SQS or Kinesis directly to targets with filtering and enrichment.

SNS Topics

broadcast system alarms or operational alerts to email, SMS, or subscribers.

SSM Automation Runbooks

predefined or custom actions that automate remediation and operational workflows.

SSM Documents

configuration templates used for patching, commands, and automation flows.

SSM Parameter Store Advanced Parameters

store encrypted configuration data with versioning and TTL.

SSM Session Manager

allows shell access to EC2 instances without SSH or inbound ports.

SSM Patch Manager

automates OS patching across EC2 fleets based on patch baselines.

Compute Optimizer

recommends compute, EBS, and Lambda right-sizing based on performance telemetry.

Trusted Advisor Security Checks

automated findings related to IAM, S3, EC2, and account configuration.

Security Hub

aggregates and normalizes findings from GuardDuty, Inspector, Macie, and Config rules.

GuardDuty

detects threat activity like compromised instances, anomalous API calls, or malicious DNS queries.

Inspector EC2 Scanning

analyzes EC2 instances for vulnerabilities, network exposure, and CIS hardening gaps.

IAM Identity Center

central management of SSO access to AWS accounts with permission sets.

IAM Access Analyzer

identifies unintended external access to S3, IAM roles, KMS keys, and more.

KMS Key Policies

core permission documents that control who can administer or use encryption keys.

KMS Key Rotation

automated yearly rotation for symmetric keys to meet compliance expectations.

ACM Certificate Validation

DNS or email-based verification for issuing TLS certificates.

Secrets Manager Automatic Rotation

rotates credentials using Lambda-based rotation logic.

AWS Config Rules

evaluate resource configurations for compliance and trigger remediation.

AWS Config Conformance Packs

grouped rules that enforce company-wide compliance standards.

AWS Backup Plans

define schedules and lifecycle rules for backups of EC2, RDS, EFS, DynamoDB, and more.

AWS Backup Vault Lock

enforces write-once, read-many controls to prevent accidental or malicious deletion.

EBS Volume Types (gp3/io2/io2 Block Express)

performance-optimized storage tiers with different IOPS and throughput.

EBS Snapshots

point-in-time backups stored incrementally in S3 for restoration or replication.

EBS Fast Snapshot Restore

pre-warms snapshots so new volumes launch with full performance instantly.

EFS Lifecycle Policies

move files to Infrequent Access tiers automatically to reduce cost.

EFS Access Points

provide permission-scoped entry points for multi-client file systems.

FSx for Windows File Server

managed SMB file storage integrated with Active Directory.

FSx for Lustre

high-performance parallel file system for analytics or HPC workloads.

RDS Performance Insights

real-time analytics on database load and query bottlenecks.

RDS Proxy

connection pooling service that protects SQL databases from oversaturation and boosts scalability.

RDS Multi-AZ with Failover

synchronous standby used to maintain high availability during outages.

DynamoDB DAX

in-memory NoSQL caching accelerator that reduces read latency to microseconds.

DynamoDB Point-in-Time Recovery

continuous backup capability with second-level restores.

Auto Scaling Predictive Scaling

forecasts demand to scale EC2 instances ahead of time.

Launch Templates

versioned configuration blueprints used to start EC2 instances consistently.

EC2 Placement Groups (Cluster/Spread/Partition)

placement strategies for performance or high availability.

EC2 IMDSv2

metadata access protocol that prevents SSRF and enhances instance security.

EC2 Instance Connect

secure SSH access without managing long-lived keys.

S3 Transfer Acceleration

speeds data uploads to S3 by routing through edge locations.

S3 Multipart Uploads

parallelizes large object transfers for reliability and performance.

S3 Lifecycle Policies

transition objects to cheaper tiers or expire them automatically.

S3 Object Lock

provides WORM protection for compliance or ransomware defense.

S3 Versioning

stores multiple object versions to protect against overwrite and deletion issues.

DataSync

automated service for moving data between NFS, SMB, S3, EFS, and FSx.

CloudFront Origin Shield

centralized caching layer that reduces origin load.

CloudFront Field-Level Encryption

encrypts sensitive viewer data before it reaches the origin.

CloudFront Cache Invalidations

used to purge outdated cached content on demand.

Global Accelerator

improves global application performance through Anycast routing.

Route 53 Resolver DNS Firewall

blocks known malicious domains inside VPC DNS queries.

Route 53 Health Checks

monitor endpoint health and route traffic away from failures.

Route 53 Weighted Routing

distributes traffic based on weights for testing or partial rollouts.

Route 53 Latency Routing

routes clients to the Region with the lowest latency.

PrivateLink Endpoints

provide private connectivity to AWS services without public internet.

Interface Endpoints

ENI-based access points for PrivateLink-enabled services.

Gateway Endpoints

private S3 and DynamoDB access without NAT or internet gateway.

NAT Gateway

allows outbound internet access for private subnet instances.

Egress-Only Internet Gateway

provides IPv6-only outbound access while blocking inbound connections.

Network ACLs

stateless subnet-level traffic filters for inbound and outbound rules.

VPC Flow Logs

capture network-level logs to analyze traffic patterns and troubleshoot.

VPC Traffic Mirroring

packet capture capability for deep inspection or threat detection.

Transit Gateway

scalable hub that connects multiple VPCs and on-prem networks.

Reachability Analyzer

path analysis tool that identifies routing or security group blockers.

AWS VPN CloudHub

connects multiple on-prem sites together using AWS as the hub.

Elastic Load Balancer Access Logs

request-level logging used to diagnose latency or routing issues.

Application Load Balancer Target Groups

manage health checks and routes for different microservices.

NLB Cross-Zone Load Balancing

distributes traffic across all AZs to improve resilience.

IPAM (IP Address Manager)

manages IP allocation and helps avoid overlapping CIDR blocks.

Service Control Policies

enforce guardrails for entire AWS Organization accounts.

Resource Access Manager

shares VPC subnets, Transit Gateways, and other resources across accounts.

StackSets

deploy CloudFormation stacks consistently across accounts and Regions.

EC2 Image Builder Pipelines

automated AMI creation and hardening workflows.

CDK Constructs

reusable IaC components written in modern programming languages.

S3 Event Notifications

trigger Lambda, SQS, or SNS when objects are created or modified.

Lambda Destinations

route async Lambda results to EventBridge, SQS, or SNS for auditing or chaining actions.

SSM State Manager

automates keeping EC2 or hybrid servers in a desired state by applying policies like patching, configuration, or software installs.

SSM Inventory

collects software and metadata from EC2 and on-prem servers to help with audits, patching, and compliance.

CloudWatch Network Monitor

tests and monitors network paths between VPCs and on-prem locations to detect latency, packet loss, or connectivity issues.

Cost Explorer

visualizes AWS spending trends and helps identify cost optimization opportunities.

Cost and Usage Reports

detailed billing dataset that breaks down every line item of AWS usage for analysis or chargeback.

Savings Plans

discount model that reduces compute costs in exchange for committing to a consistent hourly spend.

Amazon ECR

managed container registry used to store, scan, and version Docker images for ECS, EKS, and EC2 workloads.

Amazon Managed Service for Prometheus

managed Prometheus-compatible monitoring service for container and microservice metrics.

Amazon Managed Grafana

hosted Grafana dashboards for querying metrics from Prometheus, CloudWatch, X-Ray, and more.

AWS X-Ray

tracing service that maps requests across microservices to diagnose latency and dependency issues.

Route 53 Resolver Endpoints

inbound and outbound DNS endpoints used for hybrid DNS forwarding between AWS and on-prem datacenters.

Route 53 Resolver Query Logging

captures DNS queries inside a VPC to help with troubleshooting or security investigations.

AWS Control Tower

automates multi-account setup, guardrails, and baseline security controls across an AWS organization.

AWS Service Catalog

publishes approved infrastructure templates and lets teams deploy standardized resources safely.

AWS Step Functions

orchestrates multi-step workflows with visual state machines that integrate with Lambda, ECS, SSM, and EventBridge.

AWS WAF

layer 7 firewall that blocks malicious HTTP patterns like SQLi, XSS, bot traffic, and unwanted IPs.