Last-Minute Revision for the AWS Solutions Architect – Professional exam – Cheat Sheet – Post (7/7)

Welcome to the final post of our AWS Solutions Architect – Professional revision series! This post distils crucial, often subtle, concepts —focusing on networking constraints, advanced storage details, and database replication nuances.

Networking & Endpoints

• Load Balancers & Endpoints
  • You CANNOT use VPC Interface/Gateway endpoints to access an internal load balancer in another VPC.
  • A Global Accelerator Custom routing accelerator supports only VPC subnet endpoints.
  • CloudFront OAI (Origin Access Identity) is only for S3 origins and cannot be used for custom origins. OAC (Origin Access Control) is the recommended feature that supports custom origins.
  • The Virtual Private Gateway (VGW) has built-in redundancy, making sharing a VGW an acceptable practice.
• Security Groups & NACLs
  • A Network Access Control List (NACL) cannot be associated with an Elastic Network Interface (ENI).
  • Security groups do not filter traffic destined to or from internal AWS services like Amazon DNS, Amazon DHCP, EC2 instance metadata, ECS task metadata endpoints, Windows license activation, Amazon Time Sync Service, or Reserved IP addresses used by the default VPC router.
• Private Connectivity
  • When creating an interface endpoint, the private DNS option (enabled by default) associates a private hosted zone with your VPC.
  • If you enable private DNS for an S3 interface endpoint without having a gateway endpoint for S3, you will receive an error.

Storage & Data Services

• S3 and Compliance
  • S3 Replication Time Control (S3 RTC) replicates most objects in seconds and 99.99% of objects within 15 minutes.
  • S3 can publish event notifications for replication events, including when an object fails replication or exceeds the 15-minute threshold.
  • AWS Macie scans Amazon S3 buckets, but you cannot see the S3 bucket assigned to CodeCommit, as it is an AWS managed service bucket.
  • The S3 Block Public Access feature includes controls like
    • IgnorePublicAcls (S3 ignores public ACLs),
    • BlockPublicAcls (blocks requests granting public access),
    • BlockPublicPolicy (rejects policies granting public access), and
    • RestrictPublicBuckets (restricts access to principals in the bucket owner’s AWS account).
  • Glacier Select CANNOT be used on compressed data. You can perform simple query operations only on text-based data in S3 Glacier.
• Redshift
  • For Redshift audit logging, you can currently only use Amazon S3-managed keys (SSE-S3) encryption (AES-256).
• Other Analytics
  • AWS Compute Optimizer Recommendations are exported in a CSV file, with metadata in a JSON file.
  • Amazon Athena offers two ODBC drivers and a Microsoft Power BI connector.
  • DataSync can transfer your file system data and metadata, such as ownership, timestamps, and access permissions.

Compute & Containers

• Lambda and Networking
  • Modifying the security group to allow access from Lambda functions’ dynamic IP ranges is not practical, as Lambda functions do not have static IP addresses.
  • Lambda is not a sharable resource with AWS RAM.
• ECS and EKS
  • ECS takes over the coordination of task termination using the inherent instance “DRAINING” functionality. This managed termination and graceful LB connection termination reduces service interruptions, making it easier to use Spot instances.
  • In an Amazon EKS cluster, using topology spread constraints based on Availability Zones is a strategic approach to enhance node resilience.
• SQS
  • SQS delay queues and message timers allow scheduling of message delivery up to 15 minutes in the future.

Database & Availability

• RDS Replication and Recovery
  • Multi-AZ deployments use synchronous replication.
  • Read Replicas follow asynchronous replication.
  • RDS MySQL cross-region Recovery Time Objective (RTO) would be at least 15 minutes.
  • You can share manual DB snapshots with up to 20 AWS accounts. Automated Amazon RDS snapshots cannot be shared directly.
• Aurora
  • You can create a clone of an Aurora DB cluster and share the clone using AWS RAM.
  • Aurora Error logs are generated by default, but slow query logs must be enabled by configuring parameters.
• Unsupported Features
  • Amazon RDS does not support certain features in Oracle, including Multitenant Database, Real Application Clusters (RAC), Unified Auditing, and Database Vault.
• Kinesis and DynamoDB
  • Users CANNOT use different Kinesis Client Library (KCL) applications with the same DynamoDB table, as this can lead to lease and checkpoint inconsistencies.

Security & Other Services

• Certificates and Health Checks
  • Route53 HTTPS health checks don’t validate SSL/TLS certificates, so checks don’t fail if a certificate is invalid or expired.
  • Server Name Indication (SNI) custom SSL relies on the SNI extension of the TLS protocol for multiple domains to serve SSL traffic over the same IP address. Use Dedicated IP custom SSL when browsers do not support SNI.
  • By default, Amazon SES uses opportunistic TLS (STARTTLS).
  • CloudHSM uses keys that you both provide and control, and it runs in your VPC.
• EC2 Instance Management
  • It is not possible to move an existing instance to another subnet, Availability Zone, or VPC.
  • To connect to an instance, you must Install Instance connect on the EC2 instance and the SSH client on each machine intending to connect.
• Blue/Green Deployments
  • Blue/Green Deployment is supported by AWS OpsWorks, Aurora, and Elastic Beanstalk.
• VIF – Virtual Interface
  • Private VIF
    • You are connecting to the “inside” of a specific VPC
    • A private virtual interface should be used to access an Amazon VPC using private IP addresses.
    • Your on-premise network (e.g., 192.168.0.0/24) can talk directly to your EC2 instances (e.g., 10.0.0.5) using private IP addresses.
    • You cannot reach AWS Public Services (like S3 or DynamoDB) directly because they live outside the VPC on public IPs.
  • Public VIF
    • Your Router does the NAT
    • No VGW Needed: A Public VIF does not enter your VPC at all. It stays on the AWS global backbone to reach public services
    • It connects you to the entire “Public Zone” of AWS. This includes almost every service that has a public IP address.
      • Storage: S3, Glacier
      • Database: DynamoDB, RDS (Public instances)
      • Compute: EC2 APIs, EC2 instances with Public IPs
      • Messaging: SNS, SQS
      • Management: CloudWatch, AWS APIs (for running commands)

Helpful Link

• Configure termination policies for Amazon EC2 Auto Scaling
• Shareable AWS resources – AWS Resource Access Manager
• Connect to Amazon Athena with ODBC
• Auto Scaling benefits for application architecture
• Can I use different Amazon Kinesis Client Library applications with the same Amazon DynamoDB table?
• Blue Green Deployment
  • Using Amazon Aurora Blue/Green Deployments for database updates
  • Blue/Green deployments with Elastic Beanstalk
  • CodeDeploy blue/green deployments for Amazon ECS
• Implementing Canary Deployments of AWS Lambda Functions with Alias Traffic Shifting

Conclusion

The AWS Solutions Architect – Professional exam doesn’t just test your knowledge of AWS services; it tests your ability to dissect a problem and find the single path that meets all constraints (cost, performance, and security) while avoiding the technical dead-ends we’ve covered in this series. Before wrapping up this 7-part journey, I want to be completely transparent: this series does not cover deep explanations or exhaustive details of every single AWS service.

Instead, these are the exact, last-minute revision notes I kept for myself to read the day before my exam. They were born specifically out of the mistakes I made during my own practice runs. To get to this point, I watched three comprehensive Udemy courses by Neal Davis, Stephane Maarek, and Zeal Vora, and I completed the Tutorials Dojo practice exams twice.

These notes are the direct fruit of those failing answers and the moments I finally “clicked” with a new concept.

My biggest piece of advice? Don’t rely solely on these notes. The exam is tough, and you need to keep your own notes to track your personal learning gaps.

Finally, I would really appreciate it if you could let me know if this series was helpful to you! Drop a comment, share your own exam experiences, and best of luck on your certification journey!

Final Exam Tips:

1. Non-native candidates, don’t miss the 30-min AWS accommodation
2. Eliminate the wrong
3. Watch the Clock – Practice the exam,
   • Answer 13 questions in 30 minutes
   • Answer 25 questions in 1 hour

Good luck—you’re ready for the exam!

---

Catch up on the series:

1. Last-Minute Revision for the Solutions Architect – Professional exam – Introduction
2. AWS Organizations — Centralized management and SCP guardrails.
3. Security Policies and Encryption — Mastering KMS, IAM boundaries, and CloudHSM.
4. Data Storage — High-performance S3 patterns and RDS Multi-AZ strategies.
5. Networking — Hybrid connectivity, VPC-sharing with RAM, and WAF protection.
6. Serverless and Governance — Event-driven design and multi-account compliance.
7. Final Review & “Gotchas” — This Post