AWS SAA-C03 Study

Quick Reference

service name · mnemonic · keywords

Full explanations → Deep Notes

DOMAIN 1 · 30% OF EXAM

Design Secure Architectures

IAM & Identity · Network Security · Data Protection · Connectivity

🔑IAM & IdentityDeep Notes →↑ Top

IAMAWS Identity and Access Management

"Siapa boleh buat apa dalam AWS"

Control who can access what AWS resources

usersgroupsrolespoliciesleast privilegeMFA

STSAWS Security Token Service

"Pinjam IC sementara"

Generate temporary security credentials

temporary credentialsAssumeRolecross-accountfederation

Directory ServiceAWS Directory Service

"Active Directory dalam AWS — tiga jenis, pilih ikut use case"

Managed Microsoft Active Directory, AD Connector, or Simple AD for AWS workloads

Active DirectoryManaged Microsoft ADAD ConnectorSimple ADLDAPKerberosGroup Policyon-premises AD

IAM Identity CenterAWS IAM Identity Center (SSO)

"Satu login, semua AWS accounts"

Centralized SSO untuk multiple AWS accounts

SSOsingle sign-onmultiple accountsfederationSAML 2.0Active DirectorySaaS integration

Penetration TestingAWS Penetration Testing Policy

"Boleh test sendiri — tapi ada had"

Security assessments on your own AWS infrastructure

penetration testingsecurity assessmentAcceptable Use PolicyAUPno prior approval8 servicesprohibited activities

CognitoAmazon Cognito

"Login untuk user apps — User Pool = siapa kau, Identity Pool = boleh buat apa"

User sign-up/sign-in, federated identity (Google/Facebook), mobile app auth

User PoolsIdentity PoolsOAuthJWTfederated identityMFA

RAMAWS Resource Access Manager

"Share AWS resources antara accounts tanpa copy"

Share subnets, Transit Gateway, Route 53 resolver rules cross-account

cross-account sharingshared subnetsTransit Gateway sharingno resource duplicationAWS Organizationscentralized resources

AWS OrganizationsAWS Organizations + Control Tower + SCPs

"HQ yang kawal semua anak syarikat"

Manage multiple AWS accounts centrally with guardrails

multi-accountSCPsguardrailsControl Towermanagement accountOUmanagement account exemptionSCP cannot grantS3 Block Public Access SCP

🛡️Network SecurityDeep Notes →↑ Top

Security GroupsVPC Security Groups

"Bodyguard EC2 — stateful, allow only, ingat connections"

Instance-level firewall — control inbound/outbound per EC2/ENI

statefulinstance-levelallow onlycustom SG defaultinbound deniedoutbound allowed

NACLsNetwork Access Control Lists

"Guard kat pintu masuk subnet — check both ways"

Subnet-level firewall, stateless, boleh block IP

statelesssubnet-levelallow & denynumbered rulesexplicit both ways

WAFAWS Web Application Firewall

"Penapis website dari serangan Layer 7"

Protect against SQL injection, XSS, rate limiting

Layer 7SQL injectionXSSrate limitingmanaged rulesALBCloudFrontURI-specific rate-based ruletargeted throttling

AWS ShieldAWS Shield Standard & Advanced

"Pelindung DDoS — Standard free, Advanced bayar"

DDoS protection Layer 3/4 (Standard) and Layer 7 (Advanced)

DDoSLayer 3/4Shield StandardShield AdvancedDRTalways-onShield Standard freeShield Advanced paidcustom mitigationreal-time visibility

Network FirewallAWS Network Firewall

"Polis traffic dalam VPC — deep inspection"

VPC-level stateful deep packet inspection, domain filtering

deep packet inspectionstatefulVPC-levelintrusion preventiondomain filtering

GuardDutyAmazon GuardDuty

"Mata-mata AWS — detect threats auto guna ML"

Automated threat detection: crypto-mining, unusual API calls, compromised instances

threat detectionMLCloudTrail logsVPC Flow Logsno agentsfindings

DetectiveAmazon Detective

"Siasatan selepas GuardDuty detect — forensics AWS"

Investigate and analyze security findings from GuardDuty, Security Hub, Macie

security investigationforensicsGuardDuty findingsroot causebehavior graphpost-incident

InspectorAmazon Inspector

"Scanner kelemahan EC2 dan containers"

Find OS vulnerabilities, CVEs in EC2 instances and ECR images

vulnerability scanningCVEEC2ECRautomatedsecurity findings

MacieAmazon Macie

"Pemburu data sensitif dalam S3 — ML scan PII, credentials, financial data"

Discover and protect sensitive data in S3: PII, credentials, financial data, compliance

PII detectionsensitive dataS3ML-baseddata privacyGDPRdata discoverypolicy findings

Penetration TestingAWS Penetration Testing Policy

"AWS bagi pentest 8 services — tak perlu minta kebenaran dulu"

Understand AWS policy on security testing and acceptable use

penetration testingpentestsecurity assessmentAUPAcceptable Use Policyno prior approval8 services

🔐Data ProtectionDeep Notes →↑ Top

KMSAWS Key Management Service

"Simpan dan urus kunci enkripsi"

Encrypt data at rest, manage encryption keys

encryption at restCMKkey rotationSSE-KMSenvelope encryptionCloudTrail auditasymmetric keysdigital signingmulti-region keysaws:SourceVpce

Secrets ManagerAWS Secrets Manager

"Simpan password apps, auto-rotate"

Store dan auto-rotate credentials, API keys, DB passwords

auto-rotationcredentialsAPI keysno hardcoded secretsLambda integration

S3 Object LockAmazon S3 Object Lock

"Lock file — tak boleh delete atau ubah (WORM)"

WORM compliance, prevent deletion/modification

WORMcomplianceretention periodGovernance modeCompliance modelegal hold

S3 Glacier VaultAmazon S3 Glacier Vault Lock & Access Policy

"Vault Lock = immutable compliance. Vault Access Policy = mutable access control"

WORM compliance for Glacier archives — enforce retention policies that cannot be changed

Vault LockVault Access PolicyWORMcomplianceimmutableretentionGlacier archive

Amazon RedshiftAmazon Redshift — Encryption & DataShare

"Data warehouse — KMS untuk at rest, SSL untuk in transit, DataShare untuk cross-account"

Encrypt data warehouse at rest (KMS) and in transit (SSL); share data cross-account via DataShare

RedshiftKMSencryption at restSSL TLSin transitAES-256data warehouseDataSharecross-account analyticsno ETLAQUAquery acceleratorra3

CloudTrailAWS CloudTrail

"CCTV untuk semua API calls AWS"

Audit who did what and when — compliance, forensics, account activity

API auditwho did whatcomplianceforensicsaccount activity90-day retentionCloudTrail LakeSQL querylong-term retention7 years

ACMAWS Certificate Manager

"SSL cert percuma untuk HTTPS"

Provision free SSL/TLS certificates for ALB, CloudFront, API Gateway

SSLTLSHTTPSfree certificateauto-renewalALBCloudFrontAPI GatewayDNS validationemail validationpending validation

CloudHSMAWS CloudHSM

"KMS tapi kau fully control dedicated hardware"

FIPS 140-2 Level 3 compliance, customer-exclusive HSM hardware

dedicated HSMFIPS 140-2 Level 3customer controlsingle-tenanthardware securityTDEOracle RDSTransparent Data EncryptionEBKPBKbackup

🔗ConnectivityDeep Notes →↑ Top

Direct ConnectAWS Direct Connect

"Kabel terus ke AWS — private dedicated lane"

Private dedicated connection from on-premises to AWS

dedicated connectionprivateconsistent latency1Gbps/10Gbpsno internet

Site-to-Site VPNAWS Site-to-Site VPN

"Tunnel rahsia ke AWS, guna internet biasa"

Encrypted IPSec tunnel from on-premises to VPC over internet

IPSecencryptedinternet-basedVirtual Private Gatewayquick setupcost-effective

Client VPNAWS Client VPN

"VPN untuk individual users — bukan network-to-network"

Allow individual users to authenticate and connect to a VPC from their devices

Client VPNuser authenticationOpenVPNSAMLauthorization rulesper-user accessremote accesstemporary access

🏘️VPC & NetworkingDeep Notes →↑ Top

VPCAmazon Virtual Private Cloud

"Kawasan perumahan gated sendiri dalam AWS — kau yang design layout"

Isolated private network — the foundation for all AWS resources

VPC CIDR → IP range keseluruhan (172.16.0.0/16 = 65,536 IPs)

Public Subnet → Ada route ke IGW. EC2 boleh dapat public IP

Private Subnet → Tiada route terus ke internet. DB, app servers letak sini

+1 more → Deep Notes

VPCCIDRsubnetpublicprivateisolated networkdefault VPCprivate network

CIDR & SubnetsIP Addressing & Subnet Calculator

"2^(32−prefix) = total IPs, tolak 5 = usable"

Plan IP address ranges — VPC perlu CIDR sebelum boleh buat subnets

/16 → 65,536 total → 65,531 usable (guna untuk VPC range)

/24 → 256 total → 251 usable (subnet standard)

/25 → 128 total → 123 usable

+3 more → Deep Notes

CIDRsubnet maskIP addressing/24/26/275 reserved IPsusable hosts

Internet GatewayVPC Internet Gateway (IGW)

"Pintu pagar utama — dua arah, free, satu per VPC"

Connect VPC to internet (bidirectional) — kena ada untuk public subnet

IGWinternet gatewaypublic subnetbidirectionalfree0.0.0.0/0

NAT GatewayNetwork Address Translation Gateway

"Keluar boleh, masuk tak boleh — untuk private subnet"

Private subnet instances download patches/call APIs without being exposed to internet

NAToutbound onlyprivate subnetElastic IPpaidno inboundbastion hostcross-AZ costper-AZ NAT Gatewaydata transfer charges

Route TablesVPC Route Tables

"Papan tanda jalan — arah ke mana traffic pergi"

Control traffic direction: public subnet → IGW, private subnet → NAT GW

Local → traffic dalam VPC sendiri (auto, tak boleh delete)

0.0.0.0/0 → igw-xxx (public subnet — keluar ke internet)

0.0.0.0/0 → nat-xxx (private subnet — outbound je)

+1 more → Deep Notes

route tablerouting0.0.0.0/0local routesubnet associationmain route table

SG vs NACLSecurity Groups vs Network ACLs — Defence Layers

"SG = Smart/Stateful (instance). NACL = Needs-both-ways/stateless (subnet)"

Two-layer defence: SG guards each EC2, NACL guards each subnet

Level → SG: EC2/ENI | NACL: Subnet boundary

Stateful → SG: YES (reply auto OK) | NACL: NO (check every packet)

Rules → SG: Allow only | NACL: Allow + Deny

+3 more → Deep Notes

SGNACLstatefulstatelessinstance-levelsubnet-leveldenydefense-in-depth

VPC PeeringVPC Peering Connection

"Jambatan terus antara dua VPC — non-transitive"

Connect 2 VPCs privately — same account, cross-account, atau cross-region

VPC peeringcross-accountcross-regionnon-transitiveno IP overlapprivate routing

Transit GatewayAWS Transit Gateway

"Hub tengah yang connect semua VPCs — gantikan peering mesh"

Connect 3+ VPCs dan on-premises networks melalui satu hub yang transitive

Transit Gatewayhubtransitive routingmany VPCsreplace peering meshon-premisescross-accountECMPVPN throughputmultiple tunnelsaggregate bandwidth

VPC EndpointsVPC Endpoints (Gateway & Interface)

"Highway terus ke AWS services — tanpa internet, tanpa NAT fees"

Access S3/DynamoDB (free) atau AWS services lain (paid) dari private subnet secara private

VPC endpointGateway endpointInterface endpointPrivateLinkS3DynamoDBno internetfree

DOMAIN 2 · 26% OF EXAM

Design Resilient Architectures

High Availability · Disaster Recovery · Backup & Storage Resilience

⚡High Availability & ScalingDeep Notes →↑ Top

Auto Scaling GroupsAmazon EC2 Auto Scaling

"Auto tambah/kurang server ikut demand"

Automatically scale EC2 instances based on load

horizontal scalingscale out/inlaunch templatescaling policiesdesired capacitymin/maxOldestLaunchTemplatetermination policyAMI rollout

RDS Multi-AZAmazon RDS Multi-AZ Deployment

"Backup database sedia tunggu dalam AZ lain"

High availability for RDS — automatic failover

automatic failoverstandbydifferent AZsync replicationsame endpointHA only

RDS Read ReplicasAmazon RDS Read Replicas

"Photocopy database untuk baca je — boleh cross-region"

Scale read traffic, reporting queries, multi-region read access

read scalingasync replicationcross-regionup to 15 replicasread-onlymulti-regionpromote to master

RDS ProxyAmazon RDS Proxy

"Perantara yang pool connections — jimat RDS dari connection tsunami"

Connection pooling for RDS — handle too many connections from Lambda/Auto Scaling

connection poolingtoo many connectionsLambda scalingidle connectionsconnection multiplexing

Global AcceleratorAWS Global Accelerator

"Highway AWS untuk user seluruh dunia"

Route global users to nearest healthy endpoint via AWS backbone

global routingAWS backboneanycaststatic IPTCP/UDPfailover <30stwo static IPsIP cachingIoTHIPAA

AuroraAmazon Aurora

"RDS tapi 5x laju, 6 copies auto, failover 30 saat"

High-performance relational DB, MySQL/PostgreSQL compatible, enterprise HA

MySQL compatiblePostgreSQL compatible6 copies3 AZsauto storage 128TBfast failover15 read replicasGlobal Databasecross-region DRRTO 1 minRPO 1s

Aurora ServerlessAmazon Aurora Serverless

"Database yang tidur bila tak pakai, scale sendiri"

Unpredictable/intermittent workloads — auto-scale DB capacity, pay per second

scale to zeroACUpay per secondintermittentdev/testauto-pausevariable traffic

DynamoDBAmazon DynamoDB

"NoSQL yang tak pernah slow — milliseconds at any scale"

Serverless key-value/document store, single-digit ms latency at any scale

NoSQLkey-valueserverlessmillisecond latencyDAXGlobal Tablesstreamsauto-scale

🔄Disaster Recovery PatternsDeep Notes →↑ Top

Backup & RestoreDR Pattern: Backup & Restore

"Save game — kalau rosak restore dari backup"

Non-critical systems, lowest cost DR strategy

RPO: hours/daysRTO: hourslowest costno standby infraS3/Glacier backup

Pilot LightDR Pattern: Pilot Light

"Api kecil sedia — boleh bakar besar bila perlu"

Core DB running in DR region, app servers off until needed

RPO: minutesRTO: minutes-hourscore DB runningapp servers offmedium cost

Warm StandbyDR Pattern: Warm Standby

"Anak syarikat kecil sedia — scale up masa emergency"

Scaled-down full stack running in DR, quick scale up

RPO: seconds/minutesRTO: minutesscaled-down activequick scale uphigher cost

Multi-Site Active/ActiveDR Pattern: Multi-Site Active/Active

"Dua HQ berjalan serentak — saling backup"

Mission-critical — full capacity in both regions simultaneously

RPO: near-zeroRTO: secondsfull capacity bothhighest costmission-criticalzero downtime

🗂️Backup & Storage ResilienceDeep Notes →↑ Top

AWS BackupAWS Backup

"Backup manager untuk semua AWS services"

Centralized backup across EC2, RDS, EFS, DynamoDB, S3

centralized backupbackup plansretentioncross-regioncomplianceautomatedEFS backupBackup Audit Managermonitoring

S3 Versioning & CRRS3 Versioning + Cross-Region Replication

"Simpan semua versi, auto copy ke region lain"

Protect against accidental deletion, cross-region DR for S3

versioningCRRaccidental deletioncross-region replicationSRRpoint-in-time recovery

EBS SnapshotsAmazon EBS Snapshots

"Gambar volume pada satu masa — restore anytime"

Point-in-time backup of EBS volumes, cross-region DR

incremental backuppoint-in-timecross-AZcross-region copyEC2 recovery

FSxAmazon FSx

"EFS tapi untuk Windows, HPC, atau enterprise NAS"

Managed file systems: Windows SMB, HPC Lustre, NetApp ONTAP, OpenZFS

Windows SMBNTFSActive DirectoryLustre HPCNetApp ONTAPOpenZFSmanaged file systemS3 integrationDRADataSyncmulti-AZsingle-AZPOSIX

Storage GatewayAWS Storage Gateway

"Jambatan antara on-premises apps dan AWS storage"

Hybrid cloud storage — on-premises apps guna AWS storage secara seamless

hybrid storageFile GatewayVolume GatewayTape Gatewayon-premisesNFSSMBiSCSI

DataSyncAWS DataSync

"Pemindah data automatik dan laju — dari on-prem ke AWS atau cross-region"

One-time or recurring data migration from on-premises to S3, EFS, or FSx; also EFS cross-region replication

data migrationautomated transferS3EFSFSxNFSSMBHDFSone-time migrationEFS cross-regionprivate networkno public internet

DMSAWS Database Migration Service

"Pindah database ke AWS tanpa downtime"

Migrate databases to AWS — homogeneous (MySQL→RDS MySQL) or heterogeneous (Oracle→Aurora)

database migrationminimal downtimehomogeneousheterogeneousSchema Conversion ToolCDCreplication

Snow FamilyAWS Snow Family

"Peti besi AWS untuk data besar-besaran — hantar by post"

Petabyte-scale data transfer bila internet terlalu lambat/mahal, atau edge computing

SnowconeSnowball EdgeSnowmobilephysical transferpetabyteedge computingoffline migration

🚚Migration & TransferDeep Notes →↑ Top

Transfer FamilyAWS Transfer Family

"SFTP/FTP managed server — files terus masuk S3 atau EFS"

Legacy FTP/SFTP/FTPS/AS2 file transfers stored directly into S3 or EFS — no code changes needed

SFTPFTPFTPSAS2S3 backendEFS backendmanaged FTPlegacy protocolB2B file transferno code change

AWS MGNAWS Application Migration Service (MGN)

"Lift-and-shift server migration ke EC2 — continuous replication, minimal downtime"

Migrate servers (physical/virtual/cloud) to AWS EC2 with minimal downtime

MGNlift-and-shiftserver migrationEC2 migrationblock replicationminimal downtime

AWS OutpostsAWS Outposts

"AWS datang ke rumah kau — rack AWS dalam data center sendiri"

Run AWS services on-premises for compliance, low latency, or data residency requirements

Outpostson-premises AWSdata residencycompliancelocal processinghybrid

DOMAIN 3 · 24% OF EXAM

Design High-Performing Architectures

Compute · Storage · Networking · Messaging · Infrastructure

🖥️ComputeDeep Notes →↑ Top

EC2Elastic Compute Cloud

"Virtual computer"

Run any workload, full control

full controlcustom OSlift and shift

LambdaAWS Lambda

"Jalankan code, bayar per run"

Serverless, event-driven

serverlessevent-drivenno server management

Elastic BeanstalkAWS Elastic Beanstalk

"Hantar code je, AWS urus selebihnya"

Deploy app tanpa urus server

PaaSdeploy appdeveloper friendly

ECSElastic Container Service

"Docker manager"

Run containers

Dockercontainersmicroservicestask definitionJSON templateFargateEC2 launch typeservice

EKSElastic Kubernetes Service

"Kubernetes manager"

Container orchestration guna K8s

KubernetesK8scontainer orchestrationIRSAIAM Roles for Service Accountspod identity

EKS VariantsEKS Anywhere vs EKS Distro vs ECS Anywhere

"EKS Anywhere = K8s on-prem + AWS control plane. EKS Distro = pure on-prem, no AWS control plane. ECS Anywhere = ECS on-prem"

Run container workloads on-premises with varying levels of AWS integration

EKS Anywhere → Deploy K8s clusters on-prem using open-source tools, connected to AWS control plane for management consistency

EKS Distro → AWS K8s distribution used by EKS — run fully on-prem, NO AWS control plane dependency. Full open-source freedom

ECS Anywhere → Run ECS tasks on on-premises servers, managed by AWS ECS control plane

EKS AnywhereEKS DistroECS Anywhereon-premises Kuberneteshybrid containers

EC2 User DataEC2 User Data Scripts

"Script masa launch"

Auto-configure EC2 instance on first boot

bootstraplaunch scriptcloud-initfirst bootinitialization16KB limit

EC2 HibernationAmazon EC2 Hibernation

"EC2 tidur tapi ingat semua — RAM saved to EBS"

Preserve in-memory state across stop/start — fast resume for memory-intensive apps

hibernationRAM saveEBS rootfast resumein-memory stateencrypted root volume

EC2 MetadataEC2 Instance Metadata Service (IMDS)

"ID kad instance sendiri"

Get info about the running instance from within the instance

169.254.169.254instance infoIMDSv2hostnameIP addressIAM role name

Recycle BinAWS Recycle Bin (AMI & EBS Snapshots)

"Tong sampah untuk AMI dan snapshots — boleh recover dalam tempoh tertentu"

Recover accidentally deleted AMIs and EBS snapshots within a defined retention period

Recycle BinAMI recoveryEBS snapshot recoveryaccidental deletionretention period

AWS BatchAWS Batch

"Managed batch jobs — tak payah manage EC2 fleet sendiri"

Run batch computing jobs at scale without managing EC2 infrastructure

AWS Batchbatch computingmanagedjob queueEC2 fleetreplace third-party

FargateAWS Fargate

"ECS/EKS tanpa urus EC2 — serverless containers"

Run containers without managing any EC2 server infrastructure

serverless containersECSEKSno EC2 managementpay per vCPU/memoryzero infra

ECRAmazon Elastic Container Registry

"Docker Hub tapi dalam AWS, private"

Store, version, and deploy Docker container images privately in AWS

container registryDocker imagesprivate registryIAM integrationvulnerability scanningECSEKS

💾StorageDeep Notes →↑ Top

EBSElastic Block Store

"Hard disk untuk EC2"

Block storage, attach ke 1 EC2

block storagesingle EC2persistent diskinstance storeephemeralElastic Volumesresizeencryptiondata in transit

EBS Volume TypesAmazon EBS — Volume Types & Multi-Attach

"gp3 = general best. io2 = mission-critical + Multi-Attach. st1 = sequential log. sc1 = cold"

Choose right EBS type for workload: random I/O vs sequential, IOPS vs throughput, cost vs performance

gp3 → General Purpose SSD. Up to 16,000 IOPS, 1,000 MB/s throughput independently configurable. Default choice.

gp2 → Older General Purpose. Burst IOPS (3 IOPS/GB). Less predictable under sustained load

io2 → Provisioned IOPS SSD. Up to 64,000 IOPS. 99.999% durability. Supports Multi-Attach

+3 more → Deep Notes

gp3io2st1sc1Multi-AttachProvisioned IOPSthroughput HDDEBS types

EFSElastic File System

"Shared drive, ramai boleh access — multi-AZ NFS"

Shared file storage for multiple EC2 instances simultaneously

shared storagemultiple EC2NFSGeneral PurposeMax I/OProvisioned ThroughputBursting ThroughputElastic ThroughputTLS 1.2mount helper-o tlsTCP 2049cross-VPC EFSEFS mount target

S3Simple Storage Service

"Infinite storage bucket"

Object storage, images, backups

object storagestatic websitebackupunlimited

S3 GlacierAmazon S3 Glacier

"S3 yang sejuk beku"

Archiving, jarang access

archivinglong-term storageinfrequent accesscold storage

🌐Networking & DeliveryDeep Notes →↑ Top

CloudFrontAmazon CloudFront

"CDN, content laju sampai"

Deliver content laju via edge locations

CDNedge locationlow latencystatic contentOACOrigin Access ControlLambda@EdgeSSE-KMSprivate S3

ALBApplication Load Balancer

"Traffic director — by path/host, Layer 7"

HTTP/HTTPS path-based routing, microservices, containers

path-based routingHTTPlayer 7IP targetscross-VPCmicroservices

NLBNetwork Load Balancer

"Traffic director — ultra laju, Layer 4, static IP"

TCP/UDP, low latency, static IP, cross-VPC with IP targets

TCPUDPlayer 4static IPIP targetscross-VPClow latency

Route 53Amazon Route 53

"GPS untuk domain"

DNS management, domain routing

DNSdomainrouting policyfailoverAlias recordCNAMEapex domainroot domaincannot CNAME apex

Route 53 Routing PoliciesAmazon Route 53 — Routing Policies

"Cara Route 53 decide siapa dapat traffic"

Control how DNS traffic is routed to resources

Simple → 1 resource, no health check, no failover

Weighted → split traffic by % (A=70%, B=30%)

Latency-based → route to lowest latency AWS region

+4 more → Deep Notes

failoveractive-passivehealth checkweightedlatency-basedgeolocationsimpleEvaluate Target Healthhybrid failovertwo alias recordson-premises secondary

📨Messaging & ServerlessDeep Notes →↑ Top

SQSSimple Queue Service

"Baris gilir message"

Decouple services, async queue

Visibility Timeout → Message invisible semasa diproses (max 12 jam). Jika consumer mati sebelum siap → message visible semula selepas timeout

Delay Seconds → Delay sebelum message pertama kali visible dalam queue (max 15 minit)

Dead Letter Queue (DLQ) → Message yang gagal diproses N kali dihantar ke DLQ untuk debug

+1 more → Deep Notes

queuedecoupleasyncpull-basedvisibility timeoutFIFODLQat-least-onceexactly-oncelong pollingshort pollingbatch operationsduplicate messagesqueue policycross-account SQSresource-based policySNS SQS Lambda fan-out

SNSSimple Notification Service

"Broadcast message"

Push notification ke many subscribers

pub/subpush notificationfan-outbroadcast

KinesisAmazon Kinesis

"SQS tapi real-time streaming"

Real-time data streaming & analytics

real-timestreamingdata pipelineanalytics

API GatewayAmazon API Gateway

"Pintu masuk untuk API"

Manage & expose REST/WebSocket APIs

REST APIWebSocketAPI managementthrottlingmapping templatesbackward compatibilityVTLresponse transformationcache keyCORSVPC Linkcross-account Lambda

EventBridgeAmazon EventBridge

"Trafik light untuk events — route events ke tempat betul"

Serverless event bus: decouple services, schedule tasks, react to AWS service changes

event busevent-drivencron schedulerule-based routingdecoupleSaaS integrationCloudWatch Events

Step FunctionsAWS Step Functions

"Flowchart yang run sendiri — orchestrate multi-step workflows"

Coordinate multi-step processes with error handling, retry, and branching

workflowstate machineorchestrationretry logicerror handlingLambda orchestrationvisual workflowDistributed Mapparallel processing

Amazon MQAmazon MQ

"SQS tapi untuk apps lama yang guna ActiveMQ/RabbitMQ"

Migrate existing ActiveMQ/RabbitMQ message brokers to AWS without code changes

ActiveMQRabbitMQAMQPMQTTlift-and-shiftmessage brokerlegacy migrationopen protocols

Kinesis Data FirehoseAmazon Kinesis Data Firehose

"Paip streaming data terus ke S3/Redshift — no code needed"

Capture and load streaming data to S3, Redshift, OpenSearch, Splunk automatically

delivery streamS3 deliveryRedshiftOpenSearchno consumer codebuffertransform with Lambda

AppFlowAWS AppFlow

"Penyambung SaaS → AWS, tanpa code"

Automated no-code data transfer between SaaS apps (Salesforce, ServiceNow, Slack) and AWS services

AppFlowSaaS integrationSalesforceServiceNowno-code connectordata transferbidirectionalS3Redshift

🏗️InfrastructureDeep Notes →↑ Top

CloudFormationAWS CloudFormation

"Blueprint untuk AWS resources"

Automate infrastructure deployment, consistent environment

IaCInfrastructure as Codetemplatestackrollbackrepeatable deploymentLambda-backed custom resourceAMI lookupdynamic parametersmulti-region templateMappingsOutputscross-stack referenceFn::ImportValuecfn-initcfn-signalcfn-hupcfn-get-metadata

SSMAWS Systems Manager

"Remote control untuk EC2 fleet"

Manage, patch, and run commands on EC2 instances at scale

Run CommandPatch ManagerParameter StoreSession Managerno SSHfleet managementparallel executionAmazonSSMManagedInstanceCore

AWS ConfigAWS Config

"Audit & track apa yang berubah"

Track configuration changes and compliance of AWS resources

complianceauditconfig changesconfig rulesresource historydrift detection

CodeCommitAWS CodeCommit

"GitHub tapi dalam AWS"

Private Git repository dalam AWS ecosystem

Gitsource controlversion controlprivate repoIAM integration

CI/CD PipelineCodeCommit → CodeBuild → CodeDeploy → CodePipeline

"4 Code services = full DevOps pipeline"

Automate build, test, and deploy pipeline end-to-end

CodeCommit → Store & version control source code (Git)

CodeBuild → Compile, test, produce build artifacts

CodeDeploy → Deploy ke EC2, Lambda, ECS, on-premises

+1 more → Deep Notes

CI/CDCodePipelineCodeBuildCodeDeployDevOpsautomationpipeline

CloudWatchAmazon CloudWatch

"Dashboard, logs, dan alarm untuk semua dalam AWS"

Monitor metrics, collect logs, set alarms, create dashboards for AWS resources

metricslogsalarmsdashboardsCPU monitoringcustom metricsLog GroupsVPC Flow Logs

X-RayAWS X-Ray

"GPS untuk trace request melalui microservices"

Distributed tracing — debug latency and errors across microservices and serverless

distributed tracingservice maplatency analysismicroservicesLambda tracingbottleneckdebuggingSQS tracingend-to-end tracebottleneck detectionX-Ray Insightsanomaly detection

🗄️DatabasesDeep Notes →↑ Top

DocumentDBAmazon DocumentDB

"MongoDB dalam AWS — JSON documents"

JSON document store, MongoDB-compatible workloads migrate to AWS

MongoDB compatibledocument storeJSONcollectionsNoSQLMongoDB migration

NeptuneAmazon Neptune

"Database untuk connections antara data — graph"

Social networks, fraud detection, knowledge graphs, recommendation engines

graph databasesocial networkfraud detectionGremlinSPARQLrelationshipsknowledge graph

KeyspacesAmazon Keyspaces

"Cassandra dalam AWS — wide column, IoT, time-series"

Migrate Apache Cassandra workloads, IoT telemetry, time-series data

Cassandra compatibleCQLwide columnIoT telemetrytime-serieshigh write throughput

📊Analytics & StreamingDeep Notes →↑ Top

QuickSightAmazon QuickSight

"BI dashboard AWS — kau drag-drop, dia visualize"

Business intelligence dashboards, data visualization, ML-powered analytics

QuickSightBIdashboardforecastingML InsightsvisualizationS3 directSPICEIoT analytics

AthenaAmazon Athena

"SQL terus pada S3 — serverless, bayar per TB scan"

Ad-hoc SQL analysis of data in S3 without loading to a database

serverless SQLS3 queriespay per scanParquetORCGlue Cataloglog analysisad-hoc

GlueAWS Glue

"Penyambung data — ETL serverless dan data catalog"

ETL jobs, data catalog for data lake, prepare and transform data for analytics

ETLdata catalogSparkserverlesscrawlerdata laketransformParquetschema discoveryDynamoDBschema inference

Lake FormationAWS Lake Formation

"Lapisan keselamatan atas S3/Glue — row, column, cell level access"

Fine-grained access control on data lake: row-level, column-level, cell-level security

Lake Formationrow-level securitycolumn-levelcell-levelfine-grained accessdata lakeGlue Data Catalog

EMRAmazon EMR

"Hadoop/Spark cluster untuk big data — kau control cluster"

Process petabyte-scale data with Spark, Hadoop, Hive, Presto — full control

HadoopSparkHivePrestobig dataclusterpetabytemanagedSpot instances

OpenSearchAmazon OpenSearch Service

"Enjin carian dan log analytics — Elasticsearch dalam AWS"

Full-text search, real-time log/event analytics, dashboard visualisation

search enginelog analyticsElasticsearch compatibleKibanareal-time analyticsfull-text searchfuzzy

MSKAmazon MSK

"Kafka dalam AWS — managed, tak payah urus brokers"

Real-time event streaming dengan Kafka API — migrate or build Kafka workloads

Kafkamanagedstreamingevent streamingmigrationKafka APIreal-time pipelinebrokersno SSHevent source mappingMSK Serverlessauto scaling storage

KendraAmazon Kendra

"Google-like ML search for your enterprise documents"

Intelligent enterprise search across diverse document repositories

Kendraenterprise searchML searchsemantic searchnatural language queryFAQsunstructured documentsintelligent search

Data ExchangeAWS Data Exchange

"AWS marketplace untuk beli/subscribe third-party data"

Subscribe to and access third-party datasets for analytics

Data Exchangethird-party datadata marketplacedata subscriptionmarket datafinancial datadata productsS3 deliverylicensing

AWS AI/ML ServicesAWS AI Services — Polly, Rekognition, Lex, Comprehend, Textract, Transcribe

"Polly = cakap. Transcribe = dengar. Lex = faham + balas. Rekognition = nampak. Comprehend = baca. Textract = scan dokumen"

AI/ML services untuk audio, video, text, image analysis without training models

Amazon Polly → Text-to-Speech (TTS): convert text jadi audio (natural voice)

Amazon Transcribe → Speech-to-Text (STT): convert audio/video jadi text

Amazon Lex → Conversational chatbot: NLU + ASR, maintains context, integrates Lambda (powers Alexa)

+4 more → Deep Notes

PollyTranscribeLexRekognitionComprehendTextractKinesis Video Streamstext-to-speechspeech-to-textchatbotimage analysisStartSpeechSynthesisTaskaudiobookOCRNLPsentiment analysisentity recognitiondocument extraction

SageMakerAmazon SageMaker

"Custom ML end-to-end — train, tune, deploy your own models"

Build, train, and deploy custom ML models with full control

SageMakercustom MLtrainingAutoMLAutopilothyperparameter tuningmodel deploymentMLOpsFeature StorePipelines

DOMAIN 4 · 20% OF EXAM

Design Cost-Optimized Architectures

Pricing Models · Storage · Networking · Database

💰EC2 Pricing ModelsDeep Notes →↑ Top

On-DemandEC2 On-Demand Instances

"Bayar ikut jam, bila-bila boleh stop"

Workload tak menentu, short-term, testing

no commitmentflexibleshort-termhighest cost

Reserved InstancesEC2 Reserved Instances

"Bayar awal, dapat diskaun besar"

Workload steady, predictable usage, 1-3 tahun

1 or 3 yearup to 72% discountpredictablesteady state

Spot InstancesEC2 Spot Instances

"Harga murah tapi boleh kena interrupt"

Batch jobs, fault-tolerant workloads, flexible timing

up to 90% discountinterruptiblebatch jobsfault-tolerant

Savings PlansAWS Savings Plans

"Reserved tapi lebih flexible"

Commit spend per hour, flexible instance type

flexiblehourly commitmentup to 66% discountcompute savings

Compute OptimizerAWS Compute Optimizer

"AI yang cadang right-size EC2, Lambda, EBS — guna ML analyse usage"

Rightsizing recommendations for EC2, Lambda, EBS, ECS on Fargate, Auto Scaling Groups

rightsizingML recommendationsEC2 optimizationLambda optimizationcost savingsunderutilized

Trusted AdvisorAWS Trusted Advisor

"Penasihat jimat kos AWS"

Identify idle resources, cost optimization recommendations

cost recommendationsidle resourcesrightsizingunderutilizedservice limitsfive categories

AWS BudgetsAWS Budgets

"Alarm sebelum spend cecah limit"

Set cost/usage thresholds and get alerted before overspending

budget alertscost thresholdSNS notificationusage budgetforecast alertbefore overspend

Cost ExplorerAWS Cost Explorer

"Graf dan analisis spending AWS"

Visualise and analyse AWS costs — understand patterns, get RI/SP recommendations

cost analysisspending visualizationRI recommendationsusage patternsrightsizingforecasthourly granularity

💾Storage Cost OptimizationDeep Notes →↑ Top

S3 Storage TiersAmazon S3 Storage Classes

"Pilih tier ikut seberapa selalu kau access"

Kurangkan kos storage ikut frequency of access

S3 Standard → selalu access, harga tinggi

S3 Standard-IA → jarang access tapi kena cepat bila diperlukan

S3 One Zone-IA → same tapi 1 AZ je, lagi murah

+3 more → Deep Notes

storage classeslifecycle policyinfrequent accessglacierGlacier Instant RetrievalGlacier Deep ArchiveOne Zone-IAmin storage charge

S3 Intelligent-TieringS3 Intelligent-Tiering

"AWS pilihkan tier yang paling murah secara auto"

Data dengan access pattern tak menentu

auto-tieringunpredictable accessno retrieval fees

🌐Networking Cost OptimizationDeep Notes →↑ Top

CloudFrontAmazon CloudFront

"CDN yang jimatkan data transfer cost"

Reduce data transfer cost, cache content dekat user

reduce data transferedge cachingCDNcost saving

VPC EndpointsAWS VPC Endpoints

"Jalan dalam rumah, tak payah keluar internet"

EC2 → S3/DynamoDB tanpa kena NAT Gateway fees

no NAT feesprivate connectionS3 gatewayno internet

🗄️Database Cost OptimizationDeep Notes →↑ Top

ElastiCacheAmazon ElastiCache

"Cache depan database, kurangkan DB load"

Cache frequent queries, reduce RDS cost

RedisMemcachedin-memoryreduce DB loadcachingsub-millisecondleaderboardssession store

DynamoDB On-DemandAmazon DynamoDB On-Demand

"Database bayar per request, zero urus capacity"

Unpredictable traffic, serverless apps

NoSQLpay per requestserverlessauto-scaleunpredictable traffic

FRAMEWORK · ALL DOMAINS

AWS Well-Architected Framework

SAA-C03 exam validates ability to design solutions based on the Well-Architected Framework.

🏛️Six PillarsDeep Notes →↑ Top

Operational ExcellenceWell-Architected: Operational Excellence

"Jalankan dan pantau systems, improve processes"

Run and monitor systems to deliver business value and continually improve processes

IaCautomationrunbooksCI/CDmonitoringcontinuous improvement

SecurityWell-Architected: Security

"Lindungi data, systems, dan assets"

Protect information, systems, and assets via risk assessments and mitigation strategies

least privilegeIAMencryptiondetective controlsdata protectionincident response

ReliabilityWell-Architected: Reliability

"Recover dari failures, scale untuk demand"

Ensure workload performs correctly and consistently, including recovery from failures

Multi-AZauto-recoveryRTORPOdisaster recoveryhorizontal scalingfault isolation

Performance EfficiencyWell-Architected: Performance Efficiency

"Guna resources dengan efficient, adapt bila ada perubahan"

Use computing resources efficiently to meet requirements and maintain efficiency as demand changes

right-sizingserverlesscachingCDNglobal deploymentbenchmarking

Cost OptimizationWell-Architected: Cost Optimization

"Deliver value pada harga terendah"

Run systems to deliver business value at the lowest price point

right-sizingReserved InstancesSpotSavings Planseliminate wastecost allocation tags

SustainabilityWell-Architected: Sustainability

"Kurangkan environmental impact — pillar ke-6 (2021)"

Minimize environmental impacts of running cloud workloads

sustainabilitycarbon footprintenvironmental impact6th pillarserverlessutilisationrenewable energy2021

BONUS · NOT IN EXAM

Extra Tools & Open-Source

Bukan AWS native — tapi berguna untuk real-world. Tak keluar dalam SAA-C03.

🛠️Open-Source Database ToolsDeep Notes →↑ Top

LitestreamLitestream (SQLite Streaming Replication)

"SQLite backup ke S3 secara real-time — murah, mudah, auto"

Continuously replicate a SQLite database to S3 (or GCS / Azure Blob) for near-zero-cost backup and restore

SQLiteWALS3 replicationsidecaropen-sourcebackupnot AWS nativesingle servercheap DB