AWS Deep Dive Roadmap

AWS is built on networking and Linux — without fundamentals, services won't make sense. Know: what virtualization is (VMs, containers), basic networking (IP addresses, CIDR notation, subnets, ports, TCP/UDP, DNS, HTTP/HTTPS), Linux command line (file system, processes, users, permissions, SSH), and what a REST API is. Understand the shared responsibility model — AWS secures the cloud infrastructure, you secure what you put in it. Create a free-tier AWS account and enable MFA on the root account before doing anything else.

IAM is the security foundation for everything in AWS. Learn: IAM users (for people), IAM groups (for collections of users), IAM roles (for services and cross-account access — always prefer roles over users for services), IAM policies (JSON documents defining Allow/Deny actions on resources), and the policy evaluation logic (explicit Deny always wins). Understand policy types: AWS managed, customer managed, inline. The principle of least privilege — grant only what's needed. Access keys vs temporary credentials (STS assume-role). Never commit access keys to code.

VPC is your private, logically isolated network in AWS. Every resource lives in a VPC. Learn: CIDR blocks (10.0.0.0/16), subnets (public vs private — public have a route to the internet gateway, private don't), Internet Gateway (IGW) for public internet access, NAT Gateway for private subnet outbound access, Route Tables (which subnet routes where), Security Groups (stateful firewall — rules on inbound/outbound at the instance level), Network ACLs (stateless firewall at the subnet level), VPC Peering for connecting two VPCs, and VPC Endpoints for private access to AWS services.

EC2 is AWS's virtual machine service. Learn: instance types (t3, m6i, c6i — compute/memory/general purpose), AMIs (Amazon Machine Images — OS templates), key pairs for SSH access, instance storage vs EBS volumes, Elastic IP addresses, instance metadata (169.254.169.254), user data scripts for bootstrapping, IAM instance profiles (attach a role to an EC2 instance — no access keys needed), and Launch Templates. Auto Scaling Groups (ASG) automatically add/remove instances based on demand — define min/max/desired, scaling policies (target tracking, step scaling), and use with a Load Balancer (ALB/NLB).

S3 stores objects (files) in buckets — 5TB max per object, unlimited storage. Learn: buckets (globally unique names), objects (key + value + metadata), storage classes (Standard, Intelligent-Tiering, Glacier for cold storage — costs decrease with retrieval speed), versioning, S3 lifecycle rules (transition objects to cheaper storage or expire them), bucket policies vs ACLs (use policies — block public access by default), presigned URLs for temporary access, S3 static website hosting, and S3 event notifications (trigger Lambda on upload). Understand that S3 is eventual consistent globally but strongly consistent within a region.

RDS manages the database server for you — OS patching, backups, failover. Supports PostgreSQL, MySQL, MariaDB, Oracle, SQL Server. Learn: Multi-AZ deployments (synchronous standby for automatic failover), read replicas (asynchronous copy for read scaling), automated backups and manual snapshots, parameter groups and option groups, RDS Proxy (connection pooling — critical for Lambda which opens many short connections), and encryption at rest with KMS. Aurora is AWS's cloud-native DB — PostgreSQL-compatible Aurora Serverless v2 auto-scales capacity to zero. Put RDS in private subnets only.

DynamoDB is AWS's fully managed NoSQL database — single-digit millisecond latency at any scale, no servers to manage. Key concepts: tables (no fixed schema beyond the primary key), primary keys (partition key only, or partition key + sort key for composite), items (documents up to 400KB), and attributes. Read/write capacity: on-demand (pay per request — unpredictable workloads) vs provisioned (set RCUs/WCUs — use auto-scaling). Global Secondary Indexes (GSI) for querying on non-primary-key attributes. DynamoDB Streams for change data capture (trigger Lambda on item change). Transactions (TransactWriteItems for multi-item ACID). TTL for auto-expiring sessions. DAX (DynamoDB Accelerator) for microsecond read latency via an in-memory cache. Design data access patterns first — DynamoDB requires knowing your queries upfront.

Lambda runs code in response to events — no servers to manage, pay per invocation. Learn: function handlers, supported runtimes (Node.js, Python, Go, Java, custom), environment variables, execution roles (IAM role the function assumes), memory/timeout configuration, Lambda layers (shared dependencies), cold starts (initialization latency — mitigate with provisioned concurrency), VPC-connected Lambda (adds cold start — use for RDS access), event sources (S3, SQS, DynamoDB Streams, API Gateway, EventBridge, SNS), and Lambda destinations for async failure handling.

API Gateway is a fully managed service for creating, publishing, and securing APIs. Two types: REST API (feature-rich, supports request/response transformations, API keys, usage plans) and HTTP API (newer, simpler, cheaper, lower latency — use this by default). Learn: resources and methods, Lambda proxy integration (entire request/response passed to Lambda), stages (dev/prod), deployment, CORS configuration, request validation, API keys and usage plans for rate limiting, custom domain names, and WebSocket APIs for real-time. Cognito authorizers and Lambda authorizers for auth.

ECS (Elastic Container Service) runs Docker containers on AWS. Fargate is the serverless compute engine — no EC2 instances to manage, AWS allocates CPU/memory per task. Learn: Task Definitions (Docker image, CPU/memory, env vars, IAM task role, logging), Services (desired task count, load balancer integration, rolling updates), Clusters, ECR (Elastic Container Registry — private Docker registry), and ECS service auto-scaling. Understand ECS vs EKS — ECS is simpler and AWS-native, EKS is standard Kubernetes. Use Fargate for most services unless you need GPU or very specific OS configs.

CloudFront is AWS's global CDN — distributes content from 400+ edge locations worldwide. Learn: distributions, origins (S3, ALB, API Gateway, custom HTTP), cache behaviors (path patterns, TTLs, query string forwarding), invalidations, Origin Access Control (OAC) for restricting S3 to CloudFront only, AWS WAF integration, Lambda@Edge and CloudFront Functions for edge computing, and HTTPS with ACM certificates (must be in us-east-1 for CloudFront). Route 53 is AWS's DNS — hosted zones, record types (A, CNAME, Alias), routing policies (simple, weighted, latency, failover, geolocation), and health checks.

Decoupled messaging enables resilient architectures. SQS (Simple Queue Service) — message queue where producers send and consumers poll (standard queues for high throughput, FIFO queues for ordered processing). Learn: visibility timeout, dead-letter queues (DLQ for failed messages), long polling, and batch processing. SNS (Simple Notification Service) — pub/sub fanout to multiple subscribers (Lambda, SQS, HTTP, email). EventBridge — event bus for AWS service events and custom application events, routing to multiple targets with filtering rules. Use SQS to decouple synchronous services into async workers.

CloudWatch is the central observability service. Learn: Logs (log groups, log streams, retention policies, log insights for querying with a SQL-like syntax), Metrics (service metrics are free — EC2 CPU, Lambda duration, RDS connections; custom metrics via PutMetricData), Alarms (trigger on metric thresholds, send to SNS or Auto Scaling), Dashboards (visualize metrics), Container Insights for ECS, Application Signals for end-to-end tracing, and X-Ray for distributed tracing (service map, latency heatmaps). Set up alarms for everything that matters before a problem occurs.

Manual console operations don't scale — use code. AWS CLI: configure profiles (aws configure --profile), common commands (aws s3, aws ec2, aws lambda, aws ecs), and how to script multi-step operations. Terraform: define AWS resources in HCL (HashiCorp Configuration Language), terraform init/plan/apply/destroy, state files (store in S3 + DynamoDB for team use), modules for reusable components, variables and outputs, data sources to query existing resources, and workspaces for environments. AWS CDK is a Terraform alternative using TypeScript/Python. CloudFormation is AWS-native IaC.

Security in AWS goes beyond IAM. AWS WAF (Web Application Firewall) — rate limiting, IP blocking, SQL injection and XSS rules (AWS Managed Rules). KMS (Key Management Service) — customer-managed encryption keys for S3, RDS, EBS, Lambda env vars. Secrets Manager for rotating database passwords and API keys (never hardcode). GuardDuty — threat detection (unusual API calls, cryptocurrency mining, credential exfiltration). Security Hub — aggregates findings from GuardDuty, Inspector, Macie. VPC Flow Logs for network traffic analysis. CloudTrail for API audit logs — enable in all regions.

AWS bills can spiral without discipline. Learn: Cost Explorer (visualize spending by service, account, tag), Cost and Usage Reports (CUR — granular billing data), Budgets (alert when approaching limits), Savings Plans (commit to a spend level — up to 66% savings vs on-demand), Reserved Instances for predictable steady-state workloads, Spot Instances for fault-tolerant batch jobs (up to 90% savings), S3 Intelligent-Tiering to auto-optimize storage costs, right-sizing with Compute Optimizer, and deleting unused resources (unattached EBS volumes, idle NAT Gateways, forgotten load balancers).

The AWS Well-Architected Framework is a set of design principles across six pillars: Operational Excellence (IaC, small frequent changes, anticipate failure), Security (least privilege, encryption everywhere, defense in depth), Reliability (multi-AZ, backups, chaos engineering, retry with backoff), Performance Efficiency (right-sizing, serverless, caching), Cost Optimization (pay for what you use, managed services), and Sustainability (minimize waste, use efficient instance types). Use the AWS Well-Architected Tool in the console to evaluate your workloads. This thinking is what the SAA-C03 certification tests.