Why These 10 Services?

AWS has over 200 services. You do not need to know all of them. But there are 10 core services that form the scaffolding of virtually every production architecture โ€” and by extension, virtually every exam question.

Whether you're studying for the SAA-C03 or the SAP-C02, deeply understanding these services will carry you further than surface-level familiarity with all 200.

1. Amazon EC2 โ€” The Compute Workhorse

EC2 is still the backbone of many AWS workloads. What you must know:

  • Instance families โ€” General purpose (t, m), Compute optimised (c), Memory optimised (r, x), Storage optimised (i, d), Accelerated (p, g for ML/GPU)
  • Purchase options โ€” On-Demand, Reserved (Standard vs Convertible), Spot, Dedicated Hosts, Savings Plans
  • Storage โ€” EBS-backed vs Instance Store; know when each is appropriate
  • Placement groups โ€” Cluster, Spread, Partition: what each optimises for

Exam trap: Questions about "lowest cost for a predictable workload" usually want Reserved Instances or Savings Plans. Questions about "fault tolerance for a stateless application" usually want Spot Instances behind an ASG.

2. Amazon S3 โ€” More Than Object Storage

S3 is deceptively deep. Beyond basic uploads and downloads, you need to understand:

  • Storage classes โ€” Standard, Intelligent-Tiering, Standard-IA, One Zone-IA, Glacier Instant, Glacier Flexible, Glacier Deep Archive
  • Lifecycle policies โ€” automatic transitions between storage classes
  • Replication โ€” Cross-Region (CRR) for DR, Same-Region (SRR) for compliance
  • Access control โ€” Bucket policies, ACLs (mostly legacy), Block Public Access settings, pre-signed URLs, VPC Endpoints for private access
  • Versioning and MFA Delete
  • S3 Object Lock โ€” WORM (Write Once Read Many) for compliance

3. Amazon VPC โ€” Your Network Foundation

Almost every architecture question involves VPC design. Must-knows:

  • CIDR blocks, subnets (public vs private) and route tables
  • Internet Gateway (IGW) for public subnets vs NAT Gateway for private subnets needing outbound access
  • Security Groups (stateful, instance-level) vs NACLs (stateless, subnet-level)
  • VPC Peering โ€” non-transitive, works across regions and accounts
  • Transit Gateway โ€” hub-and-spoke for connecting many VPCs
  • PrivateLink / VPC Endpoints โ€” Interface vs Gateway endpoints (S3 and DynamoDB use Gateway)

4. IAM โ€” Identity & the Security Perimeter

IAM is the security layer under everything. You must understand:

  • Users, Groups, Roles, and Policies โ€” and when each is appropriate
  • Policy evaluation logic โ€” explicit Deny > explicit Allow > implicit Deny
  • IAM Roles for EC2 โ€” avoid embedding credentials; use instance profiles
  • Cross-account access with roles and STS (AssumeRole)
  • Permission Boundaries and Service Control Policies (SCPs) for the Professional exam
  • AWS Organizations โ€” consolidated billing, OUs, SCPs

5. Amazon RDS & Aurora โ€” Managed Relational Databases

  • Multi-AZ โ€” synchronous standby for failover (high availability, not for read scaling)
  • Read Replicas โ€” asynchronous, used for read scaling (can also be in different regions)
  • Aurora โ€” up to 5ร— faster than standard MySQL, storage auto-scales, up to 15 read replicas
  • Aurora Serverless โ€” for unpredictable or infrequent workloads
  • Backup and restore โ€” automated backups, snapshots, point-in-time recovery

Exam trap: Multi-AZ = availability. Read Replicas = performance/scalability. Don't confuse them.

6. Amazon DynamoDB โ€” Serverless NoSQL at Scale

  • Partition keys and sort keys โ€” know what makes a good partition key
  • GSIs (Global Secondary Indexes) โ€” different partition key + sort key, eventual consistency
  • LSIs (Local Secondary Indexes) โ€” same partition key, different sort key
  • DAX (DynamoDB Accelerator) โ€” in-memory cache, microsecond response times for read-heavy workloads
  • DynamoDB Streams โ€” ordered stream of item-level changes
  • On-Demand vs Provisioned capacity

7. AWS Lambda โ€” Event-Driven Compute

Lambda has become central to modern architectures:

  • Triggers โ€” S3 events, API Gateway, SQS, SNS, DynamoDB Streams, EventBridge, etc.
  • Concurrency โ€” reserved concurrency (limit), provisioned concurrency (reduce cold starts)
  • Timeout โ€” maximum 15 minutes; not suitable for long-running tasks
  • Layers โ€” shared libraries and dependencies
  • Lambda@Edge โ€” run code at CloudFront edge locations

8. Elastic Load Balancing โ€” The Traffic Director

Know the three types cold:

Load Balancer Protocol Best For
ALB (Application) HTTP/HTTPS/gRPC Web apps, microservices, path/host-based routing
NLB (Network) TCP/UDP/TLS Ultra-high performance, static IPs, IoT, gaming
GLB (Gateway) GENEVE Virtual network appliances (firewalls, IDS)

Key features: sticky sessions, SSL termination, cross-zone load balancing, health checks, connection draining.

9. Amazon CloudFront โ€” The Global CDN

  • Origins โ€” S3, ALB, EC2, custom HTTP servers
  • Distributions and behaviours โ€” different caching rules per URL path
  • Cache invalidation โ€” costs money, use versioned URLs instead
  • Signed URLs vs Signed Cookies โ€” restrict content access
  • Lambda@Edge and CloudFront Functions โ€” customise request/response at the edge
  • Origin Shield โ€” additional caching layer to protect your origin

10. Amazon SQS & SNS โ€” Decoupling Your Architecture

These two are almost always tested together:

SQS (Simple Queue Service):

  • Pull-based message queue
  • Standard (at-least-once, best-effort ordering) vs FIFO (exactly-once, strict ordering)
  • Visibility timeout โ€” prevents other consumers from processing a message being worked on
  • Dead-letter queue (DLQ) โ€” for messages that fail processing repeatedly

SNS (Simple Notification Service):

  • Push-based pub/sub
  • Fan-out pattern โ€” one SNS topic โ†’ multiple SQS queues
  • Subscriptions: SQS, Lambda, HTTP, email, SMS

The fan-out pattern (SNS โ†’ multiple SQS) is one of the most commonly tested architecture patterns in both the Associate and Professional exams.

Study Strategy for These 10 Services

Don't just read about them โ€” draw them. For each service, sketch out:

  1. When you would choose it over alternatives
  2. What happens when it fails (what's the fallback?)
  3. How it connects to at least 3 other services

This mental model approach is exactly what we teach in CloudTutor.in's structured programme. It's the difference between recognising a service name and genuinely knowing which architectural option to reach for.

Ready to go deeper? Explore our SAA-C03 or SAP-C02 courses, or book a mentoring session at cloudmentor1@gmail.com.