Skip to content

EXAM-CHEATSHEET.md

Latest commit

 

History

History
383 lines (313 loc) · 12.2 KB

EXAM-CHEATSHEET.md

File metadata and controls

383 lines (313 loc) · 12.2 KB

AWS Developer Associate — Master Cheat Sheet

Print this. Read it the night before. 1000/1000 starts here.

Numbers You MUST Memorize

Lambda

Property Value
Max timeout 15 minutes
Memory 128MB – 10GB
/tmp storage 512MB – 10GB
Deployment zip 50MB zipped / 250MB unzipped
Container image 10GB
Default concurrency 1,000 per account/region
Default timeout 3 seconds
Env variables 4KB
Async retry 2 retries (3 total)
Burst rate 500-3,000/min

DynamoDB

Property Value
Max item size 400KB
Max transaction items 25 items
Max batch items 25 (write), 100 (get)
Stream retention 24 hours
GSI per table 20
LSI per table 5
1 RCU (strongly consistent) 1 read/s up to 4KB
1 RCU (eventually consistent) 2 reads/s up to 4KB
1 WCU 1 write/s up to 1KB

SQS

Property Value
Max message size 256KB
Max retention 14 days (default 4 days)
Default visibility timeout 30 seconds
Max visibility timeout 12 hours
Long poll wait up to 20 seconds
Max batch 10 messages
FIFO throughput 300 TPS (3,000 with batching)

S3

Property Value
Max object size 5TB
Multipart recommended at > 100MB
Multipart required at > 5GB
Presigned URL max expiry (SigV4) 7 days
S3 Select Query inside object
PUT/COPY per prefix 3,500/s
GET/HEAD per prefix 5,500/s

API Gateway

Property Value
Max timeout 29 seconds (hard limit)
Max payload 10MB
Cache size 0.5GB – 237GB
Lambda Authorizer cache 0–3600 seconds

Kinesis

Property Value
1 shard write 1MB/s, 1000 records/s
1 shard read 2MB/s
Default retention 24 hours
Max retention 365 days
Enhanced Fan-Out 2MB/s per consumer

The "Which Service" Quick Reference

Scenario Answer
Exactly-once, ordered processing SQS FIFO
Multiple consumers, same message SNS or Kinesis
One consumer, async job SQS Standard
Real-time streaming analytics Kinesis
Fan-out to multiple services SNS + SQS queues per service
Background job processing SQS + Lambda or Worker tier
Store user sessions ElastiCache Redis
Gaming leaderboard ElastiCache Redis (Sorted Set)
Multi-region DB, < 1s replication Aurora Global Database
Scale reads from RDS RDS Read Replicas
Lambda → RDS connection limit RDS Proxy
Multi-tenant S3 isolation IAM policy with ${aws:username}
User authentication Cognito User Pool
Direct AWS access from browser/mobile Cognito Identity Pool
Auto-rotate DB password Secrets Manager
Store app config by environment Parameter Store (hierarchy)
Audit all API calls CloudTrail
Debug distributed request latency X-Ray
Custom EC2 metrics (memory, disk) CloudWatch Agent
Infrastructure as code CloudFormation
Serverless infrastructure shorthand SAM
Infrastructure in Python/TypeScript CDK
App deployment, managed platform Elastic Beanstalk
Containers, no cluster management ECS + Fargate
Long-running workflow (> 15 min) Step Functions
Human approval in workflow Step Functions waitForTaskToken
HTTP real-time bidirectional API Gateway WebSocket
GraphQL API AppSync
React static site with CDN S3 + CloudFront
Private Docker registry ECR
Shared file system across EC2 EFS
On-premises to S3 file bridge Storage Gateway (S3 File)

Authentication & Authorization Decision Tree

Need to verify WHO the user is?
→ Cognito User Pool (returns JWT)

Need to give user DIRECT AWS access (S3, DynamoDB)?
→ Cognito Identity Pool (returns temp AWS credentials via STS)

API Gateway auth?
→ Cognito JWT: Cognito Authorizer
→ Custom token/OAuth: Lambda Authorizer
→ AWS service-to-service: IAM auth (SigV4)

Service needs to call another AWS service?
→ IAM Role (attached to EC2/Lambda/ECS task)
→ NEVER hardcode credentials

Cross-account access?
→ IAM Role + trust policy + sts:AssumeRole

Encryption Decision Tree

Need audit trail of who decrypted what?
→ SSE-KMS (CloudTrail logs every KMS call)

Just need encryption, no audit?
→ SSE-S3 (simplest, free)

Must physically hold the key?
→ SSE-C (you send key on every request)

Data > 4KB + KMS?
→ Envelope Encryption (GenerateDataKey)

Need auto-rotation of DB credentials?
→ Secrets Manager

Storing config values with encryption?
→ SSM Parameter Store SecureString

Deployment Strategy Decision Tree

Zero downtime required?
→ Blue/Green (CodeDeploy, Beanstalk URL swap)
→ Immutable (Beanstalk)
→ Rolling with Additional Batch

Test new version with small % of traffic?
→ Lambda: Alias with weighted routing
→ API Gateway: Canary stage
→ CodeDeploy Lambda: Canary10Percent10Minutes
→ Route 53: Weighted routing

EC2 Auto Scaling Group update?
→ Instance Refresh

ECS new version?
→ Rolling update or CodeDeploy Blue/Green

Need fast rollback?
→ Blue/Green (just switch back traffic)

Error Messages and Their Fixes

Error Root Cause Fix
403 AccessDenied (Lambda→DynamoDB) Missing IAM permission Add DynamoDB permissions to Lambda execution role
403 AccessDenied (cross-account S3) Need both IAM + bucket policy Add to both
429 TooManyRequests (Lambda) Throttling Increase reserved concurrency or request limit increase
Lambda timeout Function runs too long Increase timeout or optimize code
RDS too many connections Lambda creating per-invocation connections Add RDS Proxy
SQS message reappearing Visibility timeout too short Increase visibility timeout > processing time
API Gateway 504 Lambda timeout > 29s Optimize Lambda or use async pattern
DynamoDB ProvisionedThroughputExceeded Not enough capacity Switch to On-Demand or add more capacity
Kinesis ProvisionedThroughputExceeded Need more shards Reshard or fix partition key distribution
S3 SlowDown Too many requests to one prefix Distribute across multiple prefixes

SAM Template Quick Reference

Transform: AWS::Serverless-2016-10-31  # REQUIRED

Globals:
  Function:
    Runtime: python3.12
    Timeout: 30

Resources:
  MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: handler.lambda_handler
      CodeUri: src/
      Events:
        Api: {Type: Api, Properties: {Path: /items, Method: GET}}
        SQS: {Type: SQS, Properties: {Queue: !GetAtt Q.Arn, BatchSize: 10}}
        Schedule: {Type: Schedule, Properties: {Schedule: rate(5 minutes)}}
      Policies:
        - DynamoDBCrudPolicy: {TableName: !Ref Table}

  MyTable:
    Type: AWS::Serverless::SimpleTable

CI/CD Pipeline Components

Source:      CodeCommit / GitHub / S3 / ECR
Build:       CodeBuild (buildspec.yml)
Test:        CodeBuild / Device Farm / third-party
Deploy EC2:  CodeDeploy (appspec.yml)
Deploy Lambda: CodeDeploy (appspec.yaml, Canary10Percent10Minutes)
Deploy ECS:  CodeDeploy (Blue/Green)
Deploy CF:   CloudFormation action in CodePipeline
Orchestrate: CodePipeline

appspec.yml Hooks Order (EC2)

ApplicationStop → DownloadBundle → BeforeInstall → Install →
AfterInstall → ApplicationStart → ValidateService

buildspec.yml Structure

version: 0.2
phases:
  install:    # runtime setup
  pre_build:  # auth, prep
  build:      # compile, test, docker build
  post_build: # push images, notifications
artifacts:    # what to pass to next stage
cache:        # what to cache between builds

Lambda@Edge vs CloudFront Functions

Lambda@Edge CF Functions
Timeout 5s/30s 1ms
Runtime Node.js/Python JavaScript
Trigger Viewer + Origin request/response Viewer only
Access Yes (external) No
Cost Higher 1/6th
Use for Auth, A/B testing, rewrites URL normalize, simple headers

Step Functions State Types

Task     → Call Lambda / AWS service / wait
Wait     → Sleep N seconds
Choice   → If/else branching
Parallel → Fork, run branches simultaneously
Map      → Iterate over array
Pass     → Transform data, no work
Succeed  → End successfully
Fail     → End with error

X-Ray Tracing

Annotation  → Indexed, filterable (use for orderId, userId, environment)
Metadata    → Not indexed, debugging only
Segment     → One service's work
Subsegment  → Work within a service
Trace       → End-to-end request

Enable:
- Lambda: Tracing: Active
- EC2/ECS: Install daemon + use SDK
- API Gateway: Enable X-Ray tracing on stage

Kinesis vs SQS Decision Matrix

Kinesis SQS
Multiple consumers Yes No (one consumer per message)
Replay data Yes No
Ordering Per shard FIFO only
Latency < 1 second Near real-time
High throughput streaming Yes Limited
Simple job queue No Yes
Data retention 24h-365d 1min-14d

DynamoDB Access Pattern Cheat Sheet

Access Pattern Solution
Get by PK GetItem on PK
Get multiple by PK BatchGetItem (up to 100)
Get range of PK Not possible — need PK = specific value
Get PK + sort key range Query with KeyConditionExpression
Get by non-key attribute Create GSI
Filter after query FilterExpression (reads items, then filters — costs RCUs either way)
All items in table Scan (avoid — reads entire table)
Ordered access Use Sort Key or GSI
Low-latency (microseconds) Add DAX in front
Real-time change processing Enable DynamoDB Streams
Expire items automatically Enable TTL
User can only access own data IAM dynamodb:LeadingKeys condition
Atomic counter UpdateItem with ADD action
Conditional write ConditionExpression

Common "Gotchas"

  1. SQS Standard = at-least-once = your code MUST be idempotent
  2. DynamoDB eventually consistent by default — use ConsistentRead=True if you need latest
  3. S3 presigned URL ≠ CloudFront signed URL. Different signing, different auth.
  4. Lambda environment variables total = 4KB (all vars combined, not each)
  5. API Gateway 29s timeout — cannot be extended. If Lambda needs > 29s, use async pattern
  6. CloudFront ACM cert MUST be in us-east-1 (regardless of distribution region)
  7. SQS FIFO name must end in .fifo
  8. DynamoDB LSI must be created at table creation — can't add later
  9. ElastiCache in VPC — cannot access from outside VPC without VPN/peering
  10. Step Functions Standard: 1 year max. Express: 5 minutes max
  11. CodeDeploy does NOT provision servers — it deploys to existing servers
  12. Beanstalk Blue/Green = DNS swap ≠ CodeDeploy Blue/Green (CodeDeploy is at LB level)
  13. IAM roles for Lambda: ALWAYS use roles, NEVER access keys in code or env vars
  14. CloudTrail is ON by default (90 day Event History) — but create Trail for > 90 days
  15. EBS volumes are AZ-specific — can't attach to EC2 in different AZ

Last-Minute Exam Tips

  • Read ALL four options before choosing — "most appropriate" questions have traps
  • When stuck between two answers, choose the more managed / more secure option
  • "You MUST NOT store credentials" → IAM roles / Instance Profile
  • "Without any downtime" → Blue/Green or Immutable
  • "Automatically rotate" → Secrets Manager
  • "Decouple" → SQS (async) or SNS (fan-out)
  • "Multiple services react to same event" → SNS + SQS fan-out
  • "Ordered processing" → SQS FIFO or Kinesis (per partition)
  • "Real-time" → Kinesis or DynamoDB Streams
  • "Serverless" → Lambda + DynamoDB + API Gateway + SAM
  • "Compliance / audit" → CloudTrail + KMS CMK + CloudWatch Logs
  • "Too many connections" → RDS Proxy (Lambda) or Connection Pooling
  • "Long-running task" > 15 min → Step Functions or ECS Fargate