AWS Core FAQ & Answers

AWS compute services provide virtualization and serverless capabilities. EC2 (Elastic Compute Cloud): Scalable virtual servers with resizable compute capacity, multiple instance types (general purpose, compute optimized, memory optimized, GPU instances), on-demand/reserved/spot pricing models. Lambda: Serverless compute functions that run code without provisioning servers, event-driven execution, pay-per-millisecond billing, auto-scaling from 0 to thousands of concurrent executions. ECS/EKS (Elastic Container Service/Elastic Kubernetes Service): Container orchestration for running Docker containers at scale, managed Kubernetes service. Lightsail: Simplified cloud platform for small websites, apps, and development environments. AWS Fargate: Serverless compute for containers without managing infrastructure. Elastic Beanstalk: Platform as a service (PaaS) for deploying and scaling web applications. Core services for running applications in AWS.

AWS storage services provide persistent data storage solutions. S3 (Simple Storage Service): Object storage with unlimited capacity, 99.999999999% (11 nines) durability, multiple storage classes (Standard, Intelligent-Tiering, Standard-IA, Glacier), lifecycle policies for cost optimization. EBS (Elastic Block Storage): Persistent block storage for EC2 instances, supports volumes up to 64TB, encrypted volumes, snapshot backups, performance-optimized volumes (gp3, io1). EFS (Elastic File System): Network file system for EC2 instances, scalable to petabytes, supports thousands of concurrent connections, file-level permissions. Storage Gateway: Hybrid cloud storage service connecting on-premises applications to AWS storage. Use S3 for object storage (static assets, backups), EBS for database/OS disks, EFS for shared file systems. Critical for data persistence in AWS applications.

AWS database services provide managed database solutions. RDS (Relational Database Service): Managed relational databases (MySQL, PostgreSQL, MariaDB, Oracle, SQL Server), automated backups, Multi-AZ deployments, read replicas, security patches. DynamoDB: Fully managed NoSQL key-value database, single-digit millisecond latency, auto-scaling, global tables, on-demand or provisioned capacity. DocumentDB: Managed MongoDB-compatible document database, MongoDB API compatibility, automated backups. Neptune: Managed graph database for building applications using highly connected datasets. Aurora: MySQL and PostgreSQL-compatible relational database with higher performance and availability. Redshift: Data warehouse service for petabyte-scale data analytics. Use RDS for traditional applications, DynamoDB for high-performance NoSQL, Aurora for better performance than RDS. Essential for application data persistence and analytics.

AWS networking services provide connectivity and infrastructure. VPC (Virtual Private Cloud): Isolated virtual network within AWS, complete control over network environment, IP address ranges, subnets, route tables, and gateway configurations. Route 53: Domain Name System (DNS) web service for domain registration, DNS routing, health checks, traffic management. CloudFront: Content Delivery Network (CDN) for fast content delivery, edge locations globally, DDoS protection, dynamic content acceleration. API Gateway: Fully managed service for creating, publishing, maintaining, and securing APIs. Direct Connect: Dedicated network connection from on-premises to AWS. VPN Site-to-Site: Secure connection between your on-premises network and your VPC. Load Balancing: Distributes incoming traffic across multiple targets. Use VPC for network isolation, Route 53 for DNS management, CloudFront for content delivery. Essential for AWS application connectivity and performance.

AWS security and monitoring services provide protection and observability. IAM (Identity and Access Management): Manage users, groups, roles, permissions, and access controls for AWS resources. KMS (Key Management Service): Creation and management of encryption keys, hardware security modules (HSMs), key rotation, integration with other AWS services. CloudWatch: Monitoring and observability service collecting logs, metrics, and performance data, alarms, automated responses, dashboards. CloudTrail: Governance, compliance, operational auditing, risk detection of AWS API calls. GuardDuty: Threat detection service continuously monitors for malicious activity. WAF (Web Application Firewall): Protects web applications from common web exploits. Security Hub: Comprehensive security management service. Use IAM for access control, KMS for encryption, CloudWatch for monitoring. Essential for AWS security posture and compliance requirements.

EC2 (Elastic Compute Cloud) provides resizable virtual servers with 750+ instance types. 2025 Latest: Graviton4-based instances (R8g, C8g, M8g) deliver 30% better performance than Graviton3, 40% lower cost-per-operation than x86. Key features: instance types (general purpose, compute optimized, memory optimized, GPU, storage optimized), auto scaling, elastic load balancing, Nitro System (enhanced security, networking), placement groups. Pricing: On-Demand ($0.0116/hour for t3.micro), Reserved (up to 72% savings), Spot (up to 90% off), Compute Savings Plans (up to 66% off). Latest: t4g.small free tier extended through Dec 2025 (750 hours/month). Security: IMDSv2 required for new instances. Essential for scalable compute workloads.

S3 (Simple Storage Service) is object storage with 99.999999999% durability and unlimited capacity. 2025 Latest: S3 Express One Zone delivers 10x faster performance (single-digit millisecond latency), 2M requests/second per bucket, with pricing reduced 31% for storage, 85% for GET requests (April 2025). Storage classes: S3 Standard ($0.023/GB), S3 Intelligent-Tiering (auto-optimization), S3 Standard-IA, S3 One Zone-IA, S3 Glacier Instant/Flexible/Deep Archive, S3 Express One Zone (high-performance). Features: versioning, lifecycle policies, encryption (SSE-S3, SSE-KMS), access control, event notifications, S3 Select. Objects: 0 bytes to 5TB. Use for: data lakes, backups, AI/ML datasets, static websites. Essential AWS storage service.

Lambda is serverless compute running code without servers. 2025 Latest: SnapStart for Python 3.12+ and .NET 8+ delivers sub-second startup (Jan 2025), reducing cold starts by up to 90%. Latest runtimes: Node.js 22.x, Python 3.13, Java 21, Go 1.x, Ruby 3.4, .NET 8. Key features: event-driven execution, auto-scaling (0 to thousands instantly), pay per millisecond, 15-minute max execution, memory 128MB-10GB, up to 10GB ephemeral storage. Triggers: API Gateway, S3, DynamoDB Streams, EventBridge, SNS, SQS. Pricing: 1M requests free/month, then $0.20 per 1M requests + $0.0000166667 per GB-second. Use for: APIs, data processing, ETL, real-time analytics. Essential serverless service.

VPC (Virtual Private Cloud) provides isolated virtual networks in AWS. 2025 Latest: IPv6-only subnets with egress-only internet gateway eliminate NAT gateway costs (free data transfer), S3 Gateway/Interface VPC endpoints now support IPv6 (Nov 2025). Components: subnets (public/private/IPv6-only), route tables, internet gateway, NAT gateway (IPv4 to internet, $0.045/hour), egress-only gateway (IPv6, free), security groups (stateful firewall), NACLs (stateless), VPC peering, PrivateLink (private connectivity), Transit Gateway (hub-spoke), Site-to-Site VPN (IPv6 support, Sep 2025). CIDR: /16 to /28. Use for: network isolation, hybrid cloud, microservices. Essential AWS networking foundation.

RDS (Relational Database Service) provides fully managed databases. 2025 Latest: Aurora PostgreSQL Limitless Database (GA) scales to millions of writes/second and petabytes of data, Blue/Green deployments enable zero-downtime updates with <1 minute switchover. Engines: MySQL 8.4, PostgreSQL 17, MariaDB 11.4, Oracle 21c, SQL Server 2022, Aurora (MySQL/PostgreSQL compatible with 5x performance). RDS Benefits vs EC2: automated backups (35 days retention), automated patching, Multi-AZ (99.99% SLA), read replicas (up to 15 for Aurora), automated failover (<60 seconds), Performance Insights, encryption at rest. RDS manages: infrastructure, backups, patching. You manage: schema, queries, optimization. Use RDS for: production, compliance, operational efficiency. Essential managed database service.

IAM (Identity and Access Management) controls AWS resource access. 2025 Latest: Passkey MFA support (April 2025) for root and IAM users using FIDO standards (synced passkeys via Google, Apple, 1Password), IAM Identity Center OIDC token refresh (v1.27.10 CLI), Verified Access OIDC enhancements. Components: Users (long-term credentials), Groups (user collections), Roles (temporary credentials, use for applications/services), Policies (JSON permissions: Effect, Action, Resource, Condition). Best practices: enable MFA (passkeys recommended), use roles for applications, IAM Identity Center for workforce, avoid root user, least privilege, credential rotation. IAM Access Analyzer: identify overly permissive policies. IAM is global, free. Essential security foundation.

CloudWatch provides monitoring and observability for AWS resources. 2025 Latest: Cross-account anomaly detection (April 2024), Database Insights for Aurora/RDS with expanded anomaly detection (Nov 2025), outlier detection using ML. Features: Metrics (default 5-min, detailed 1-min, high-resolution 1-second), Logs (centralized, retention 1 day to 10 years), Alarms (static thresholds, anomaly detection, composite), Dashboards (cross-account views), Insights (SQL queries on logs). Cross-account observability: monitor multiple accounts from single monitoring account. Anomaly detection: ML-based baselines for hourly/daily/weekly patterns. EventBridge: event-driven automation. Use for: performance monitoring, troubleshooting, compliance, automated incident response. Essential observability service.

Well-Architected Framework provides architectural best practices across six pillars. 2025 Latest: Generative AI Lens (April 2025) covers AI lifecycle across all six pillars with responsible AI guidance. (1) Operational Excellence: automation, IaC, observability, incident response, continuous improvement. (2) Security: identity management, detection, data protection, encryption, compliance. (3) Reliability: fault tolerance, disaster recovery, change management, auto-scaling, distributed systems. (4) Performance Efficiency: right-sizing, caching, CDN, serverless, monitoring, architecture patterns. (5) Cost Optimization: right-sizing, Reserved/Savings Plans, Spot instances, S3 lifecycle, monitoring with Cost Explorer. (6) Sustainability: efficient architectures, Graviton processors, serverless, renewable energy regions. Framework includes lenses for specialized workloads (GenAI, IoT, SaaS, Machine Learning). Essential for architecture reviews and cloud excellence.

DynamoDB is fully managed serverless NoSQL database with single-digit millisecond latency. 2025 Latest: On-demand throughput costs reduced (Nov 2024), warm throughput management, configurable maximum capacity, Standard Infrequent Access table class. Pricing: On-demand $1.25/million writes, $0.25/million reads (US East Ohio), 33% cost savings with Standard-IA. Features: unlimited scaling, auto-scaling, global tables (multi-region active-active), DynamoDB Streams (CDC), ACID transactions, TTL (automatic deletion), point-in-time recovery, encryption at rest. Data model: tables, items, attributes. Primary key: partition key or composite (partition+sort). Indexes: GSI (global secondary), LSI (local secondary). Use for: gaming (leaderboards), IoT (device data), mobile backends, session stores, serverless applications, high-traffic workloads. When: need <10ms latency, unpredictable traffic, serverless architecture.

AWS security groups are stateful firewalls that control inbound and outbound traffic for EC2 instances and other AWS resources at the instance level. Security groups operate as virtual firewalls for instances, containing rules that filter traffic based on protocol, port range, and source/destination IP address. Being stateful, they automatically allow return traffic for permitted outbound connections. Key features: rules are allow-only (no deny rules), evaluated as a whole collection rather than in order, applied to elastic network interfaces (ENIs), support referencing other security groups. Default behavior: deny all inbound traffic, allow all outbound traffic. Best practice: follow principle of least privilege, restrict inbound to specific IP ranges, use security group references for AWS service communication. Security groups are the primary security mechanism for instance-level protection in VPC.

Security groups and NACLs provide different layers of VPC security with key differences: Security groups operate at instance level (ENI), are stateful (return traffic automatically allowed), support allow-only rules, evaluated as whole, and reference other security groups. NACLs operate at subnet level, are stateless (must explicitly allow return traffic), support both allow and deny rules, evaluated in numbered order (1-32766), and cannot reference other NACLs. Performance: Security groups scale with instances, NACLs protect all resources in subnet. Usage: Security groups for primary instance protection, NACLs for additional subnet-level defense. Example rule order matters in NACLs (rule 100 deny overrides rule 110 allow). Best practice: use security groups for granular instance control, NACLs for subnet-wide rules and IP blacklisting. Both provide defense in depth but serve different security purposes in VPC architecture.

EBS (Elastic Block Store) provides persistent block storage volumes for EC2 instances, ensuring data survives instance termination. Process: EBS volumes are attached to EC2 instances as block devices (like /dev/sda1), appear as local storage to the instance, and persist independently of EC2 instance lifecycle. Key features: Snapshots for backups, encryption at rest, point-in-time recovery, volume resizing while attached, Multi-Attach for multiple EC2 instances (io2 volumes). Storage management: Create volumes in specific Availability Zone, attach to instances, detach and reattach to different instances. Performance: Low-latency access (milliseconds), consistent throughput. Use cases: Database storage, application data, boot volumes, file systems. EBS integrates with all EC2 instance types and provides enterprise-grade block storage for stateful applications requiring persistent storage.

AWS EBS General Purpose SSD volumes provide balanced price/performance for most workloads. Two generations: gp3 (latest generation) and gp2 (previous generation). gp3 features: 16,000 IOPS baseline + up to 256,000 provisioned IOPS, 4,000 MB/s baseline throughput + up to 4,000 MB/s provisioned, 20% lower cost than gp2, 128TiB maximum size. gp2 features: 3,000 IOPS baseline + up to 16,000 provisioned IOPS, 250 MB/s baseline throughput, up to 250 MB/s provisioned, 1TiB maximum size. Performance: Consistent latency, suitable for boot volumes, development/testing, general applications. Use gp3 for new deployments (better performance and lower cost). Use for: Web applications, development environments, general-purpose databases, boot volumes.

EBS Provisioned IOPS SSD volumes provide high performance for I/O-intensive workloads. Two generations: io2 (latest) and io1 (previous). io2 features: Up to 256,000 IOPS, up to 4,000 MB/s throughput, multi-attach to multiple EC2 instances, 64TiB maximum size, lower latency than io1. io1 features: Up to 64,000 IOPS, up to 1,000 MB/s throughput, single instance attachment only, 16TiB maximum size. Performance: Consistent low latency (<1ms), ideal for database workloads. Use cases: High-performance databases (Oracle, SQL Server, PostgreSQL), NoSQL databases (Cassandra, MongoDB), big data processing, log processing, critical applications requiring maximum I/O performance. io2 multi-attach allows active-passive database configurations for high availability. Cost: Higher than General Purpose volumes but provides superior performance for I/O-intensive workloads.

EBS HDD volumes provide cost-effective storage for large-scale sequential workloads. st1 (Throughput Optimized HDD): Optimized for large sequential workloads, 500 MB/s baseline throughput, up to 500 MB/s provisioned, 500 MiB/s maximum per volume, 1PiB maximum size. Use cases: Big Data processing, data warehousing, log processing, content delivery, ETL workloads. sc1 (Cold HDD): Lowest cost storage for infrequently accessed data, 250 MB/s throughput, 12.5 MB/s sustained, 1PiB maximum size. Use cases: Archival storage, backups, disaster recovery, data lakes, infrequently accessed application data. Performance characteristics: Higher latency than SSD, sequential workloads optimized, not suitable for transactional databases. Cost optimization: Use sc1 for data that is accessed less than once per month, use st1 for data accessed more frequently but sequentially. HDD volumes are suitable when cost is primary concern and data access patterns are predictable and sequential.

EBS snapshots provide point-in-time backups stored in S3. Creation: Take snapshot of volume, includes all data, incremental (copies only changed blocks), compressed for efficiency. Storage: Stored in S3 Standard (99.999999999% durability), retained indefinitely or as specified in retention policy. Features: Cross-Region copy for disaster recovery, Snapshots Archive (cost-effective long-term storage), fast snapshot restore (restore volumes up to 20x faster). Encryption: EBS volumes support encryption at rest using KMS keys (AWS-managed or customer-managed). Snapshots inherit encryption from source volume. Encrypted snapshots can be shared across AWS accounts or regions. Use cases: Database backups, disaster recovery, volume cloning, data protection, testing environments. Cost: Storage costs based on data stored in S3, data transfer costs for cross-region copies. EBS snapshots are essential for data protection and recovery workflows.

Auto Scaling automatically adjusts EC2 capacity based on demand. 2025 Latest: Warm pools support for mixed instances policies (Nov 2025) enables rapid scale-out with multiple instance types, predictive scaling expanded to six additional regions (Oct 2025). Components: Launch template (AMI, instance type, security groups), Auto Scaling group (min/desired/max capacity, AZs), Scaling policies (when to scale). Scaling types: Target tracking (maintain metric like 70% CPU), Step scaling (threshold-based), Scheduled (predictable patterns), Predictive (ML forecasts, launches in advance). Warm pools: pre-initialized instances reduce scale-out latency from minutes to seconds. Health checks: EC2 status, ELB health. Termination: oldest instance, closest to billing hour, AZ balancing. Use for: high availability, cost optimization, handling traffic spikes. Essential for resilient applications.

Route 53 is highly available DNS service with 100% uptime SLA. 2025 Features: Application Recovery Controller (ARC) with zonal shift/autoshift, region switch, routing control for multi-region recovery, DNSSEC support. Features: domain registration ($12-$2000/year), DNS hosting ($0.50/hosted zone/month), health checking (HTTP/HTTPS/TCP). Routing policies: Simple (single resource), Weighted (traffic split A:70%, B:30%), Latency-based (lowest latency), Failover (active-passive DR), Geolocation (continent/country/state), Geoproximity (bias-based), Multi-value (up to 8 IPs with health checks), IP-based. Record types: A, AAAA, CNAME, MX, TXT, Alias (AWS resources, no query charges). Health checks: endpoint monitoring every 30s/10s, CloudWatch alarms, calculated health checks. Use for: global load balancing, disaster recovery, blue-green deployments, multi-region architectures. Essential DNS service.

CloudFront is global CDN delivering content via 450+ edge locations worldwide. 2025 Latest: HTTP/3 support (QUIC protocol) provides 10% faster TTFB, 15% better page load times, CloudFront KeyValueStore for low-latency edge data (5MB, millisecond access), cloudfront-js-2.0 runtime with async/await. Features: HTTPS/HTTP/3, custom SSL certificates, geo-restriction, signed URLs/cookies, Lambda@Edge (Node.js/Python), CloudFront Functions (JavaScript, sub-millisecond), cache behaviors, TTL control (0 seconds to 1 year). Origins: S3, custom HTTP/HTTPS (ALB, EC2, on-premises). Performance: Origin Shield (additional caching layer), Real-time logs, Cache hit metrics. Use cases: static/dynamic content, video streaming (HLS, DASH), API acceleration, software distribution. Pricing: $0.085/GB (US/Europe first 10TB). Essential for global, low-latency content delivery.

SNS (Simple Notification Service) provides pub/sub messaging. 2025 Latest: FIFO topics support 30,000 messages/second (Jan 2025, up from 300/sec), FIFO topics can deliver to SQS Standard queues (2023), high throughput via MessageGroup scope. Publishers send to topics, subscribers receive messages. Subscribers: SQS (Standard/FIFO), Lambda, HTTP/HTTPS, email, SMS, mobile push, Kinesis Firehose. Features: message filtering (JSON policies), FIFO ordering + deduplication, encryption (KMS), delivery retries, DLQ for failed deliveries, message attributes. Fanout: publish once to SNS, deliver to multiple SQS queues/Lambda functions. Pricing: $0.50/million requests (first 1M free), $2/100k email notifications. Use for: application decoupling, event notifications, fanout architectures, microservices communication. Essential messaging service.

SQS (Simple Queue Service) provides fully managed message queues. 2025 Latest: FIFO queues support 70,000 messages/second with high throughput mode (up from 3,000), better batching performance. Queue types: Standard (unlimited throughput, at-least-once delivery, best-effort ordering), FIFO (ordered, exactly-once, 70,000 TPS with high throughput, group-level deduplication). Features: visibility timeout (0 sec-12 hours, default 30 sec), message retention (1 min-14 days), DLQ (handle poison messages), long polling (1-20 seconds, reduces cost), encryption (SSE-SQS, SSE-KMS), message size up to 256KB. Patterns: decoupling microservices, buffering between components, load leveling, asynchronous processing, job queues. Use for: background jobs, order processing, event-driven workflows. Standard for high throughput, FIFO for ordering requirements. Essential distributed systems component.

Elastic Load Balancing (ELB) automatically distributes incoming application traffic across multiple targets (EC2 instances, containers, IP addresses) in multiple Availability Zones. Features: health checks (monitor target health, automatically route to healthy targets), cross-zone load balancing (distribute traffic evenly across AZs), sticky sessions (session affinity), SSL/TLS termination, connection draining (graceful removal), integrated monitoring with CloudWatch. Benefits: high availability, fault tolerance, scalability. Load balancers accept incoming traffic, evaluate target health using configurable health checks, then route requests only to healthy targets. Supports automatic scaling, IPv6, and integrates with Auto Scaling Groups. Essential for building resilient, highly available applications on AWS with no single point of failure.

Application Load Balancer (ALB) operates at Layer 7 (HTTP/HTTPS) and provides advanced request routing. Key features: path-based routing (/users/* → user service, /orders/* → order service), host-based routing (api.example.com → API servers), HTTP/2 support, WebSocket support, Lambda target integration (invoke Lambda functions directly). Advanced features: authentication (Cognito, OIDC), redirect actions, fixed response actions, weighted target groups, slow start (gradually ramp up traffic). Use cases: microservices architectures, web applications with multiple services, container-based applications (ECS/EKS), serverless applications with Lambda targets. Perfect when you need intelligent routing based on URL paths or host headers. Default choice for web applications requiring flexible routing rules.

Network Load Balancer (NLB) operates at Layer 4 (TCP/UDP/TLS) for extreme performance and low latency. Key features: handles millions of requests per second, static IP addresses (preserves source IP), TCP termination, TLS offloading, long-lived TCP connections, ultra-low latency. Performance: 100ms target deregistration delay, TCP health checks, support for both TCP and UDP protocols. Use cases: high-performance TCP/UDP applications, gaming servers, IoT devices, real-time streaming, applications requiring static IP addresses, financial trading systems. Perfect for applications needing maximum throughput, preserving client IP addresses, or supporting TCP/UDP protocols. Better than ALB for raw performance when Layer 7 routing isn't needed. Essential for applications with extreme performance requirements.

Gateway Load Balancer (GWLB) operates at Layer 3 and uses GENEVE protocol for transparent network gateway insertion. Key features: transparent insertion of appliances (firewalls, IDS/IPS, DDoS protection), preserves client source IP, high availability with multi-AZ, 100 Gbps throughput per Availability Zone, scales to thousands of appliances. Architecture: appliances register as targets, traffic flows through appliances before reaching destination, supports both inbound and outbound traffic. Use cases: network security appliances, deep packet inspection, third-party virtual appliances, unified threat management. Perfect when you need to insert network-level services transparently. Different from ALB/NLB because it's designed for network appliances rather than application servers. Essential for security-focused network architectures.

Classic Load Balancer (CLB) is the original ELB type operating at both Layer 4 (TCP) and Layer 7 (HTTP/HTTPS). Features: basic load balancing, health checks, SSL/TLS termination, sticky sessions, connection draining. Limitations: no path-based routing, no host-based routing, limited monitoring, no WebSocket support, no Lambda targets. Deprecated status: AWS recommends ALB or NLB for new applications, CLB exists for backward compatibility. Migration: AWS provides migration tool to convert CLB configurations to ALB/NLB. Use cases: legacy applications, AWS Elastic Beanstalk environments (historical), simple applications not requiring advanced routing. Not recommended for new deployments due to limited features and better alternatives available.

ECS (Elastic Container Service) orchestrates Docker containers on AWS. 2025 Latest: ECS Exec for debugging (interactive shell access), Fargate Spot (up to 70% savings), $200 free tier credits (new accounts through July 2025), support for up to 10GB ephemeral storage. Launch types: Fargate (serverless, recommended, pay per vCPU/memory), EC2 (manage instances, more control). Components: Cluster (logical grouping), Task Definition (container specs: image, CPU 256-16384, memory 512MB-120GB, networking awsvpc, IAM roles), Task (running instance), Service (desired count, load balancing, auto scaling). ECS Anywhere: run containers on-premises. Deployment: rolling updates, blue/green, canary. Monitoring: CloudWatch Container Insights, ECS Exec. Use for: microservices, batch processing, web applications. Alternative: EKS (Kubernetes). Essential container orchestration service.

AWS CloudFormation is Infrastructure as Code (IaC) service that provisions and manages AWS resources using templates. Core concept: declarative approach where you define desired state, CloudFormation handles provisioning and configuration. Templates are JSON or YAML files describing AWS resources and their configurations. Stacks are collections of resources managed as a single unit. Process: create/update template → initiate stack operation → CloudFormation creates/updates resources in dependency order. Benefits: repeatable deployments, version control, consistency across environments, automated resource management. Supports all AWS services with standardized syntax. Eliminates manual console configuration, reduces human error, enables infrastructure versioning. Essential for DevOps practices and cloud automation.

CloudFormation templates define infrastructure as code using JSON/YAML syntax. Key sections: AWSTemplateFormatVersion, Description, Parameters (input values), Mappings (conditional values), Resources (AWS resources), Outputs (returned values). Stacks: instances created from templates, containing all resources defined. Stack lifecycle: CREATE (provision resources), UPDATE (modify resources), DELETE (remove resources). Change sets: preview changes before applying - shows what will be created/modified/deleted. Change set process: create change set → review proposed changes → execute change set. Benefits: safety preview, no-downtime updates, rollback on failure. Templates support intrinsic functions (Ref, GetAtt, Fn::Join) for dynamic values. Stacks provide resource dependency management and automatic rollback.

CloudFormation intrinsic functions enable dynamic template generation. Core functions: Ref (reference parameters/resources), GetAtt (get resource attributes), Join (concatenate strings), Sub (substitute variables), ImportValue (import outputs from other stacks), Condition (evaluate conditions), Base64 (encode to Base64). Advanced functions: GetAZs (get Availability Zones), Select (select from list), Split (split string), FindInMap (lookup mapping values). Usage examples: !Sub '${AWS::StackName}-Bucket' creates dynamic bucket name; !Ref 'VpcId' references VPC parameter; !GetAtt 'EC2Instance.PublicIp' gets instance IP. Functions enable reusable templates across environments and regions. Essential for flexible infrastructure code that adapts to different deployment contexts while maintaining template structure.

CloudFormation advanced features enhance infrastructure management: Drift Detection identifies manual changes to deployed resources (configuration drift) - compares actual state with template state, reports drifted resources. Nested stacks enable template composition - break large templates into reusable child stacks, reference outputs across stacks. Stack Sets manage stacks across multiple accounts and regions - deploy identical resources to 100s of accounts, automatic rollback, managed operations. Other advanced features: DeletionPolicy (Retain, Snapshot, Delete) controls resource deletion behavior, UpdatePolicy controls Auto Scaling group updates, Stack policies protect critical resources from accidental updates. These features support enterprise-scale infrastructure with governance and multi-account management. Essential for large organizations with complex compliance and deployment requirements.

ElastiCache provides managed in-memory caching. 2025 Latest: Valkey 8.2 (Redis fork, 20% memory savings, vector search), Serverless (auto-scales 0 to 5M RPS in <13 minutes), 33% cost savings for Serverless, 20% for node-based clusters. Engines: Valkey 8.0-8.2 (open-source, I/O multithreading, Bloom filters, recommended), Redis OSS 7.x (legacy). Valkey 8.2: vector search, 20% memory efficiency, per-slot metrics, 45% lower ZRANK latency, 12x faster PFMERGE. Features: sub-millisecond latency, replication (Multi-AZ), cluster mode (sharding, up to 500 nodes), persistence (RDB/AOF for Valkey), encryption. Serverless: automatic scaling, continuous patching, no capacity planning. Use cases: database caching, session stores, real-time analytics, gaming leaderboards, pub/sub. Patterns: cache-aside, write-through. Essential for high-performance, low-latency applications.

Secrets Manager securely stores, retrieves, and rotates secrets. 2025 Latest: Cross-region replication for disaster recovery, multi-region KMS key support, automatic propagation of rotated secrets to replicas. Secrets: database credentials (RDS, Aurora, Redshift, DocumentDB), API keys, OAuth tokens, SSH keys. Features: automatic rotation (Lambda-based, 30+ days default), encryption at rest (KMS), versioning (AWSCURRENT, AWSPREVIOUS), fine-grained IAM policies, CloudTrail auditing, cross-account access. Automatic rotation: RDS (MySQL, PostgreSQL, Aurora), Redshift, DocumentDB. Custom rotation: Lambda functions for other services. Replication: replicate to multiple regions, synchronized automatically. Pricing: $0.40/secret/month + $0.05/10k API calls. Alternative: Parameter Store ($0 for standard parameters). Use Secrets Manager for: automatic rotation, compliance requirements, disaster recovery. Essential security service.

AWS global infrastructure consists of Regions and Availability Zones (AZs). 2025: 33 Regions, 105+ AZs, 600+ edge locations worldwide. Region: independent geographic area (e.g., us-east-1, eu-west-1), contains 2-6 AZs (typically 3), sovereign boundaries for data residency. Availability Zone: one or more physically separated data centers within a Region, independent power/cooling/networking, connected via low-latency (<1ms) private fiber, isolated failure domains. Multi-AZ deployment: resources across AZs for 99.99%+ availability, automatic failover (RDS, ELB), synchronous replication. Services: Regional (S3, DynamoDB, IAM), Zonal (EC2, EBS), Edge (CloudFront). Region selection: latency (closest to users), compliance (GDPR, data sovereignty), service availability, cost (varies by region). Essential for designing resilient, compliant architectures.

KMS (Key Management Service) manages encryption keys with FIPS 140-3 Level 3 validated HSMs. 2025 Features: HMAC keys for message authentication, multi-region keys (replicate keys across regions for encrypted data portability), external key stores (your HSMs). Key types: Symmetric (AES-256, default), Asymmetric (RSA 2048/3072/4096, ECC), HMAC (SHA-224 to SHA-512), Data keys (encrypt large data). Operations: Encrypt/Decrypt (4KB limit), GenerateDataKey (for large data), Sign/Verify (asymmetric), GenerateMac/VerifyMac (HMAC). Envelope encryption: encrypt data with data key, encrypt data key with KMS key. Key management: AWS-managed ($0), Customer-managed ($1/month), automatic rotation (365 days). Multi-region keys: global applications, disaster recovery, encrypted backups. Integration: 100+ AWS services. CloudTrail: audit all operations. Essential for compliance, data protection.

AWS cost optimization strategies for 2025. (1) Graviton4 instances: 40% lower cost than x86, 30% better performance than Graviton3 (R8g, C8g, M8g). (2) Compute Savings Plans: up to 66% savings, ML-based recommendations, flexible across instance types/regions. (3) Spot Instances: up to 90% off, Fargate Spot 70% savings, use for fault-tolerant workloads. (4) Right-sizing: match instance types to workload, review CloudWatch metrics monthly. (5) S3 Intelligent-Tiering: automatic cost optimization, S3 Express One Zone for high-performance (31% cheaper storage, 85% cheaper GETs since April 2025). (6) Auto Scaling: scale to zero with Lambda/Fargate, warm pools reduce startup latency. (7) Delete unused: EBS volumes, snapshots, old AMIs, orphaned load balancers. (8) Serverless first: Lambda (1M free requests/month), DynamoDB on-demand. (9) Monitoring: Cost Explorer, Cost Anomaly Detection, Budgets with alerts. Combine strategies: Graviton + Savings Plans = 55%+ total savings. Regular reviews essential.