AWS SAA-C03 Architecture Master Cheat Sheet

Identity & Governance

• IAM Policies: Always use Least Privilege. Principal -> Action -> Resource.
• Roles vs Users: Use Roles for services (EC2) or Cross-account access. Never embed Access Keys in code.
• AWS Organizations: Use SCPs (Service Control Policies) to restrict member accounts. SCPs do not grant permissions; they filter them.
• IAM Identity Center (SSO): Preferred for multi-account centralized login.

Network Isolation

• Security Groups: Stateful (Allow only). Applies to Instances.
• NACLs: Stateless (Allow & Deny). Applies to Subnets.
• WAF: Protects at Layer 7 (HTTP/S) from SQLi, XSS, and Geo-blocking.
• Shield: DDoS Protection. Standard is free; Advanced provides 24/7 SRT access.

The Storage Decision Tree

High Availability Patterns

• ELB: ALB (Layer 7 - Path/Query routing) vs NLB (Layer 4 - Static IP/Ultra-low latency).
• Auto Scaling: Scales based on CloudWatch metrics (CPU, Request count).
• Route 53: Use Failover for Disaster Recovery (Active-Passive) or Latency for global performance.

Database Mastery

• DynamoDB: NoSQL, serverless, single-digit ms. Use DAX for microsecond caching.
• Aurora: 5x faster than MySQL. Auto-scaling storage up to 128TB. 15 Read Replicas.
• ElastiCache: Redis (Complex types, Persistence) vs Memcached (Simple, Multithreaded).

Content Delivery

• CloudFront: Global Edge locations. Uses OAC to protect S3 origins.
• Global Accelerator: Uses Anycast IPs to route traffic over the AWS backbone (Layer 4).
• S3 Transfer Acceleration: Fast uploads over long distances via Edge locations.

EC2 Buying Strategies

• On-Demand: New, unpredictable workloads. Pay by sec/hr.
• Spot: Up to 90% discount. For stateless, fault-tolerant apps (Batch jobs).
• Savings Plans: Best for 1-3 year steady usage (Compute-wide).

S3 Storage Classes