Domain 1: Cloud Concepts
This domain tests whether you understand why cloud exists and how AWS changes cost, speed, scale, and reliability.
| Concept | Exam meaning | Remember |
|---|
| Agility | Create and change resources quickly. | Cloud reduces waiting for hardware and long procurement. |
| Elasticity | Automatically add or remove capacity to match demand. | Elasticity is about automatic adjustment. |
| Scalability | Ability to grow capacity as demand increases. | Can be manual or automatic. |
| High availability | Keep systems running during component failure. | Use multiple Availability Zones and managed services. |
| Fault tolerance | Continue operating even when parts fail. | Design so failure is expected, not surprising. |
| Pay as you go | Pay for actual usage instead of upfront hardware. | Cloud shifts capital expense toward variable operational expense. |
| Economies of scale | AWS operates at huge scale and can offer lower variable cost. | Large shared infrastructure benefits customers. |
| Global reach | Deploy close to users around the world. | Use Regions, AZs, and edge locations. |
Cloud Adoption Framework
- Business: align cloud work with business outcomes.
- People: skills, roles, training, and organizational change.
- Governance: policies, risk, compliance, and portfolio management.
- Platform: architecture, infrastructure, and landing zones.
- Security: identity, controls, detection, response, and compliance.
- Operations: monitoring, reliability, observability, and incident management.
Domain 2: Security and Compliance
This is the second-largest domain. Expect many questions about who is responsible, how access is controlled, and which service improves security or compliance.
Shared Responsibility Model
| AWS is responsible for security of the cloud | Customer is responsible for security in the cloud |
|---|
| Physical data centers, buildings, power, cooling. | Customer data, classification, retention, and access. |
| Physical servers, storage devices, network hardware. | IAM users, roles, permissions, MFA, password policy. |
| Global infrastructure and managed service infrastructure. | Application code, operating system on EC2, firewall rules, encryption choices. |
| Hypervisor and virtualization layer for EC2. | Guest OS patching and installed software on EC2. |
Service type changes responsibility
- EC2: customer manages guest OS patching, installed software, app code, security groups, and data.
- RDS: AWS manages database infrastructure; customer manages data, access, network rules, and configuration choices.
- S3: AWS manages storage infrastructure; customer manages bucket permissions, data, lifecycle, encryption settings, and public access choices.
- Lambda: AWS manages servers and runtime infrastructure; customer manages function code, permissions, and data.
Domain 3: Cloud Technology and Services
This is the largest domain. You must know the purpose of major AWS services and choose the best service for simple scenarios.
| Category | Must-know services | Question pattern |
|---|
| Compute | EC2, Lambda, ECS, EKS, Elastic Beanstalk, Lightsail, Auto Scaling | Where should code or servers run? |
| Storage | S3, EBS, EFS, FSx, Storage Gateway, Backup | Object, block, file, archive, backup, hybrid storage? |
| Databases | RDS, Aurora, DynamoDB, Redshift, ElastiCache, DocumentDB, Neptune | Relational, NoSQL, analytics, cache, graph? |
| Networking | VPC, Route 53, CloudFront, ELB, Direct Connect, VPN, API Gateway | DNS, CDN, private network, load balancing, hybrid connectivity? |
| Monitoring | CloudWatch, CloudTrail, X-Ray, Config | Metrics/logs, API audit, tracing, configuration history? |
| Migration | Migration Hub, DMS, Application Migration Service, Snow Family, DataSync | Move apps, databases, or data to AWS? |
| Analytics | Athena, Glue, Kinesis, QuickSight, Redshift | Query, ETL/catalog, streaming, dashboard, warehouse? |
| AI/ML | Bedrock, SageMaker, Rekognition, Comprehend, Lex, Polly, Transcribe, Translate | Generative AI, custom ML, image/text/speech/language tasks? |
Domain 4: Billing, Pricing, and Support
This is the smallest domain by weight, but it is easy to score if you memorize the tools and support plan differences.
| Tool or model | Use it for | Exam clue |
|---|
| On-Demand | Pay with no long-term commitment. | Flexible, simple, often higher cost. |
| Savings Plans | Discount for committed compute usage. | Commitment measured by dollars/hour usage. |
| Reserved Instances | Discount for committed capacity/service usage. | Common for predictable workloads. |
| Spot Instances | Use spare EC2 capacity at deep discount. | Interruptible workloads only. |
| Free Tier | Try eligible services with usage limits. | Free does not mean unlimited. |
| Pricing Calculator | Estimate costs before deployment. | Planning and forecasting before building. |
| Cost Explorer | Analyze historical cost and usage. | Charts, trends, cost analysis. |
| AWS Budgets | Alert on cost, usage, RI, or Savings Plans thresholds. | Budget alert clue. |
| Cost and Usage Report | Detailed billing data. | Most detailed cost/usage reporting. |
| Billing Conductor | Customize billing views for organizations. | Showback/chargeback style billing. |
| AWS Marketplace | Find and buy third-party software/data/services. | Prebuilt vendor software subscriptions. |
| Organizations | Multiple accounts and consolidated billing. | OUs, SCPs, consolidated billing. |
25 Most Important Practice Questions
Important: these are original practice questions, not leaked or copied real exam questions.
1. A company wants to store images, backups, and log files as objects. Which AWS service should it use?
Answer: Amazon S3.
Why: S3 is object storage for buckets and objects.
2. Which service records AWS account API calls for auditing?
Answer: AWS CloudTrail.
Why: CloudTrail records who did what, when, and from where.
3. Which service creates alarms from metrics and stores application logs?
Answer: Amazon CloudWatch.
Why: CloudWatch handles metrics, logs, dashboards, and alarms.
4. Who patches the guest operating system on an Amazon EC2 instance?
Answer: The customer.
Why: With EC2, the customer manages the guest OS and installed software.
5. Who is responsible for securing AWS physical data centers?
Answer: AWS.
Why: AWS is responsible for security of the cloud, including physical facilities.
6. Which tool estimates AWS cost before deploying a workload?
Answer: AWS Pricing Calculator.
Why: It estimates service costs before resources are created.
7. Which AWS tool sends alerts when spending crosses a threshold?
Answer: AWS Budgets.
Why: Budgets alerts on cost, usage, reservation, and Savings Plans thresholds.
8. Which service provides DNS and domain routing?
Answer: Amazon Route 53.
Why: Route 53 provides DNS, hosted zones, routing policies, and health checks.
9. Which AWS service is used as a content delivery network?
Answer: Amazon CloudFront.
Why: CloudFront caches and delivers content from edge locations.
10. Which support plan includes full AWS Trusted Advisor checks?
Answer: Business support or higher.
Why: Full Trusted Advisor checks are associated with Business, Enterprise On-Ramp, and Enterprise support.
11. Which service manages users, groups, roles, and policies?
Answer: AWS Identity and Access Management (IAM).
Why: IAM controls identity and permissions.
12. Which storage service provides block storage for EC2 instances?
Answer: Amazon EBS.
Why: EBS volumes attach to EC2 instances as persistent block storage.
13. Which service runs code without provisioning or managing servers?
Answer: AWS Lambda.
Why: Lambda is serverless event-driven compute.
14. Which AWS service provides managed relational databases?
Answer: Amazon RDS.
Why: RDS manages relational engines such as MySQL, PostgreSQL, MariaDB, Oracle, and SQL Server.
15. Which database is serverless NoSQL key-value and document storage?
Answer: Amazon DynamoDB.
Why: DynamoDB is managed NoSQL with low-latency key-value/document access.
16. Which service helps protect web applications from SQL injection and cross-site scripting?
Answer: AWS WAF.
Why: WAF filters HTTP/S web requests using rules.
17. Which service provides DDoS protection for AWS resources?
Answer: AWS Shield.
Why: Shield protects AWS endpoints from DDoS attacks.
18. Which service stores secrets and can rotate them automatically?
Answer: AWS Secrets Manager.
Why: Secrets Manager stores, retrieves, encrypts, and rotates secrets.
19. Which service provides AWS compliance reports and agreements?
Answer: AWS Artifact.
Why: Artifact provides access to compliance reports and agreements.
20. Which service detects suspicious activity and threats in AWS accounts?
Answer: Amazon GuardDuty.
Why: GuardDuty analyzes account and workload signals for threats.
21. What does elasticity mean in cloud computing?
Answer: Automatically adding or removing capacity to match demand.
Why: Elasticity focuses on automatic capacity adjustment.
22. What does scalability mean in cloud computing?
Answer: The ability to grow capacity as demand increases.
Why: Scaling can be manual or automatic.
23. Which cloud model changes upfront hardware purchases into variable usage costs?
Answer: Pay-as-you-go cloud pricing.
Why: Cloud computing shifts capital expense toward operational expense.
24. Which AWS service manages multiple accounts and consolidated billing?
Answer: AWS Organizations.
Why: Organizations supports multiple accounts, organizational units, service control policies, and consolidated billing.
25. Which service discovers sensitive data such as PII in S3 buckets?
Answer: Amazon Macie.
Why: Macie helps discover and protect sensitive data stored in S3.
