IaaS, PaaS, and SaaS what each model provides and who manages what.

Public, private, hybrid, and multi-cloud deployment strategies.

Understand the financial model shift from capital expenditure to operational expenditure.

How cloud providers pass cost savings to customers through massive infrastructure scale.

How AWS Regions are composed of isolated AZs and why this matters for HA design.

How AWS delivers low-latency content globally via its edge network.

Extend AWS infrastructure to metro areas and telecom networks for ultra-low latency.

Criteria for region selection: latency, compliance, service availability, and cost.

Users, groups, roles, and policies the four building blocks of AWS IAM.

Grant only the permissions required nothing more. Apply to every identity.

Cross-account access, EC2 instance profiles, and service-to-service permissions.

Identity-based, resource-based, permission boundaries, SCPs, and session policies.

Manage multiple accounts with AWS Organizations and restrict permissions with Service Control Policies.

General purpose, compute-optimised, memory-optimised, storage-optimised, and accelerated computing.

Create golden images with AMIs and standardise instance config with Launch Templates.

Dynamic and predictive scaling policies, cooldown periods, and lifecycle hooks.

On-Demand, Reserved Instances, Savings Plans, Spot, and Dedicated Hosts.

Cluster, spread, and partition placement strategies for performance and fault tolerance.

Function lifecycle, triggers, concurrency, layers, and cold start optimisation.

Task definitions, services, Fargate vs EC2 launch types, and cluster management.

Managed Kubernetes on AWS node groups, Fargate profiles, and add-ons.

Serverless container execution no cluster infrastructure to manage.

Buckets, objects, keys, versioning, and the S3 consistency model.

Standard, Intelligent-Tiering, Standard-IA, Glacier, and Glacier Deep Archive.

Automatically transition objects between storage classes or expire them.

Bucket policies, ACLs, Block Public Access, pre-signed URLs, and SSE options.

Cross-Region Replication (CRR) and Same-Region Replication (SRR) for DR and compliance.

Volume types (gp3, io2, st1, sc1), snapshots, encryption, and multi-attach.

Fully managed NFS file system performance modes, throughput modes, and access points.

Bridge on-premises environments to cloud storage with File, Volume, and Tape Gateway.

Snowcone, Snowball Edge, and Snowmobile for offline data transfer at petabyte scale.

Supported engines, Multi-AZ deployments, read replicas, and automated backups.

Aurora architecture, Aurora Serverless v2, global databases, and cluster endpoints.

Manage database connection pooling for Lambda and highly concurrent applications.

Migrate databases to AWS with minimal downtime using DMS and SCT.

Partition keys, sort keys, GSIs, LSIs, DynamoDB Streams, and capacity modes.

Single-table design, access pattern modelling, and avoiding hot partitions.

Redis vs Memcached, caching strategies (lazy loading, write-through), and cluster modes.

Full-text search, log analytics, and OpenSearch Serverless for unpredictable workloads.

Subnets (public/private), route tables, internet gateways, and the default VPC.

Enable outbound internet access for private subnets without exposing them inbound.

Stateful security groups vs stateless Network ACLs layered network defence.

Capture and analyse IP traffic for security auditing and troubleshooting.

Design non-overlapping IP address ranges for future VPC peering and Transit Gateway.

Direct routing between VPCs limitations, transitive routing, and use cases.

Hub-and-spoke network topology for connecting many VPCs and on-premises networks.

Dedicated private connectivity from on-premises to AWS use cases and resilience.

IPSec VPN tunnels over the internet as a cost-effective hybrid connectivity option.

Expose services privately across VPCs and accounts without traversing the internet.

Layer 7 routing, host/path-based rules, weighted target groups, and WAF integration.

Layer 4 ultra-low latency load balancing, static IPs, and TLS termination.

Deploy, scale, and manage third-party virtual network appliances.

DNS routing policies: simple, weighted, latency, failover, geolocation, and multivalue.

Distributions, origins, cache behaviours, TTL, signed URLs, and OAC.

Run lightweight logic at edge locations for request/response manipulation.

Improve global application availability and performance using the AWS backbone network.

The six pillars: Operational Excellence, Security, Reliability, Performance, Cost, and Sustainability.

Assume components will fail. Build redundancy, retries, and fallback paths into every design.

Reduce dependencies between components to allow independent scaling and failure isolation.

Horizontal vs vertical scaling, stateless design, and avoiding single points of failure.

Define Recovery Time Objective and Recovery Point Objective to guide DR architecture.

Backup & Restore, Pilot Light, Warm Standby, and Multi-Site Active-Active patterns.

When to use AZ redundancy vs full region failover cost vs resilience trade-offs.

Centralise and automate backups across EC2, RDS, DynamoDB, EFS, and more.

Single responsibility, independent deployability, bounded contexts, and API contracts.

Standard vs FIFO queues, visibility timeout, DLQs, and long polling for async decoupling.

Pub/sub messaging, fan-out patterns, and SNS filtering for event-driven architectures.

Serverless event bus rules, event patterns, pipes, and cross-account event routing.

Event-driven, fan-out, saga, and async request-response patterns with Lambda.

REST, HTTP, and WebSocket APIs throttling, caching, auth, and usage plans.

Orchestrate multi-step workflows with Standard and Express state machines.

Infrastructure as code for serverless applications with local testing support.

Customer-managed keys, key policies, grants, and envelope encryption.

Enable server-side encryption for S3, EBS, RDS, DynamoDB, and EFS with KMS.

Enforce TLS for all service endpoints, use ACM for certificate management.

Store, rotate, and retrieve database credentials and API keys without hardcoding.

Provision and manage TLS/SSL certificates for CloudFront, ALB, and API Gateway.

Intelligent threat detection using ML identifies compromised instances, credential abuse, and more.

Aggregate and prioritise security findings from GuardDuty, Inspector, Macie, and partners.

Discover and protect sensitive data in S3 using ML-driven classification.

Automated vulnerability assessments for EC2, Lambda, and container images.

Web ACLs, managed rule groups, rate limiting, and bot control for HTTP workloads.

Shield Standard (free DDoS protection) vs Shield Advanced for layer 3/4/7 attacks.

Stateful, managed network firewall for VPC-level traffic inspection and filtering.

Centrally manage WAF, Shield Advanced, and Network Firewall rules across accounts.

Track resource configuration changes, evaluate rules, and trigger auto-remediation.

Audit API calls across your account who did what, when, and from where.

Continuously collect evidence for PCI DSS, HIPAA, SOC 2, and custom frameworks.

Set up and govern a secure, multi-account AWS environment using landing zones.

Metrics, alarms, dashboards, Logs Insights, and Contributor Insights.

Centralise logs from EC2, Lambda, ECS, and VPC Flow Logs with structured querying.

Distributed tracing for Lambda, API Gateway, and ECS visualise service maps.

Fully managed observability stack for Kubernetes and container workloads.

Stacks, templates (YAML/JSON), change sets, nested stacks, and drift detection.

Define infrastructure using TypeScript, Python, or Java with the AWS CDK.

Manage AWS resources with the HashiCorp Terraform AWS provider and remote state in S3.

Modularisation, stack separation by lifecycle, tagging strategies, and drift prevention.

Pay-as-you-go, pay less with more, and pay less as AWS grows pricing fundamentals.

Analyse spending trends, forecast costs, and set budget alerts per service or tag.

Commit to usage for 1 or 3 years to save up to 72% vs On-Demand pricing.

Automated recommendations for cost, performance, security, and fault tolerance.

Match instance types to actual workload needs and use Spot for fault-tolerant jobs.

Columnar data warehousing, Redshift Spectrum for S3 queries, and RA3 nodes.

Serverless ETL, the Glue Data Catalog, crawlers, and Glue Studio.

Real-time data streaming with Kinesis Data Streams, Firehose, and Data Analytics.

Build, secure, and manage data lakes on S3 with centralised access control.

Retire, Retain, Rehost, Relocate, Repurchase, Replatform, and Refactor strategies.

Track migrations from on-premises to AWS across multiple tools in a single console.

Lift-and-shift server migrations with minimal downtime using continuous replication.

Evaluate people, process, and technology readiness before beginning large migrations.

Run workload reviews against the Well-Architected Framework and track improvements.

Consistency vs availability (CAP theorem), cost vs reliability, and latency vs throughput.

Document architecture decisions, context, and consequences for future reference.

Reference architectures and vetted solutions from AWS for common use cases.

The core certification for architects design resilient, high-performing, and cost-optimised solutions.

Advanced multi-account, hybrid, and complex architecture design for experienced practitioners.

Advanced Networking, Security, Database, Data Analytics, and Machine Learning specialties.