Cloud/ AWS / AWS Certified Solutions Architect โ€” Associate (SAA-C03) / AWS Application Services & Serverless: Lambda, SQS, SNS, CloudFront for SAA-C03

AWS Amazon Web Services Associate Step 4 of 5 106 guides ยท updated 2026

Hands-on guides to compute, storage, databases, networking, and serverless on the world's most widely adopted cloud platform.

Step 4 โ€” Application Services & Serverless

Modern AWS architectures rarely wire services together directly. Queues, event buses, CDNs, and serverless compute let you build loosely coupled systems that scale independently. This step covers the glue that holds cloud applications together.


AWS Lambda โ€” Serverless Compute

Lambda runs your code without you managing any servers. You upload a function, define what triggers it, and AWS handles everything else โ€” provisioning, scaling, patching, and billing.

How Lambda Works

Trigger โ”€โ”€โ–บ Lambda Function โ”€โ”€โ–บ Action
โ”‚ (your code) โ”‚
โ”‚ โ”œโ”€โ”€ Runtime: Python 3.12, Node 20, Java 21, etc.
โ”‚ โ”œโ”€โ”€ Memory: 128 MB โ€“ 10,240 MB
โ”‚ โ”œโ”€โ”€ Timeout: max 15 minutes
โ”‚ โ””โ”€โ”€ Ephemeral storage: /tmp up to 10 GB
โ”‚
Triggers:
โ”œโ”€โ”€ API Gateway (HTTP request)
โ”œโ”€โ”€ S3 event (file uploaded)
โ”œโ”€โ”€ DynamoDB Stream (item changed)
โ”œโ”€โ”€ SQS message
โ”œโ”€โ”€ EventBridge rule
โ”œโ”€โ”€ CloudWatch Events (scheduled)
โ””โ”€โ”€ SNS notification

Lambda Pricing

Pay only for:

A function using 512 MB running for 100ms costs $0.0000083334 per invocation. For most workloads, Lambda is dramatically cheaper than keeping an EC2 instance running.

Lambda Concurrency

Concurrency = number of function instances running simultaneously.

Default burst limit: 3,000 concurrent executions (varies by region)
Default account limit: 1,000 concurrent executions
Reserved Concurrency: guarantee minimum, and cap maximum for a function
Provisioned Concurrency: pre-warm instances โ†’ eliminates cold starts

Cold start problem: When Lambda needs a new instance, it downloads your code and initializes your runtime. This adds 100msโ€“2s latency. Use Provisioned Concurrency for latency-sensitive APIs. Lambda SnapStart (Java) reduces cold starts by taking snapshots after initialization.

Lambda with VPC

Lambda functions run outside your VPC by default. To access resources in a private subnet (RDS, ElastiCache), configure Lambda to use a VPC. AWS now uses hyperplane ENIs โ€” VPC Lambda no longer has the slow cold start penalty it had before 2020.


API Gateway

API Gateway is the front door for your Lambda functions and HTTP backends. It handles authentication, rate limiting, HTTPS, request transformation, and versioning.

REST API vs HTTP API vs WebSocket

REST API (v1) โ€” Full features: usage plans, API keys, request validation,
caching, X-Ray. Higher cost.
HTTP API (v2) โ€” 71% cheaper than REST API. JWT authorizers, AWS services proxy.
Missing: API keys, usage plans, caching.
WebSocket API โ€” Bidirectional persistent connection. Chat apps, real-time feeds.

2026 recommendation: Use HTTP API unless you need REST APIโ€™s advanced features (caching, per-method throttling, API keys for third-party monetization).

Deployment Stages and Throttling

Every API Gateway deployment targets a stage (dev, staging, prod). Each stage has its own URL, settings, and can be rolled back independently.

Throttling defaults: 10,000 requests per second (RPS) per region, 5,000 burst. Configure method-level throttling to protect backend Lambda or ECS from overload.

Caching: REST API stages can cache responses (0.5 GBโ€“237 GB). Reduces backend calls and latency. Cache TTL default is 300 seconds.


SQS โ€” Simple Queue Service

SQS is the messaging backbone for decoupled architectures. A producer sends a message to the queue; one or more consumers poll and process it.

Standard vs FIFO Queues

Standard Queue FIFO Queue
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
At-least-once delivery Exactly-once processing
Best-effort ordering Strict ordering guaranteed
Nearly unlimited TPS 300 TPS (3,000 with batching)
Best for: high-throughput tasks Best for: financial transactions,
order processing

Key SQS Concepts

Visibility Timeout: After a consumer picks up a message, it becomes invisible to other consumers for this duration (default 30s, max 12h). If the consumer doesnโ€™t delete the message before timeout, it reappears โ€” enabling retry on failure.

Dead Letter Queue (DLQ): Messages that fail processing N times are moved to a DLQ for inspection. Every production SQS queue should have a DLQ.

Long Polling: Instead of polling continuously (and paying per empty request), set WaitTimeSeconds=20. The queue holds the connection open up to 20 seconds until a message arrives. Reduces cost and latency.

Message Retention: 4 days default, up to 14 days.


SNS โ€” Simple Notification Service

SNS is a publish/subscribe service. Publishers send to a topic; all subscribed endpoints receive a copy simultaneously. This fan-out pattern is the primary reason SNS and SQS are used together.

SNS + SQS Fan-Out Pattern

S3 Upload Event โ”€โ”€โ–บ SNS Topic "new-uploads"
โ”œโ”€โ”€โ–บ SQS Queue A โ”€โ”€โ–บ Lambda: Generate thumbnail
โ”œโ”€โ”€โ–บ SQS Queue B โ”€โ”€โ–บ Lambda: Virus scan
โ””โ”€โ”€โ–บ SQS Queue C โ”€โ”€โ–บ Lambda: Update database
Result: S3 event triggers three independent processes in parallel.
Each queue has its own retry/DLQ logic.
Services are fully decoupled.

SNS Subscription types: SQS, Lambda, HTTP/HTTPS, Email, SMS, Mobile Push (iOS/Android/Windows).

SNS FIFO Topics โ€” Paired with SQS FIFO queues for strict ordering in fan-out. Each subscription gets messages in order.

SNS Message Filtering โ€” Subscribers can set a filter policy so they only receive messages matching specific attributes. Reduces noise and processing cost.


Amazon EventBridge

EventBridge is the next-generation event bus โ€” more powerful than SNS for routing events from AWS services, custom apps, and SaaS providers to targets.

Event Sources: EventBridge Bus: Targets:
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
AWS services (EC2, S3, etc.) โ”€โ”€โ–บ Default Bus โ”€โ”€โ–บ Lambda
Custom applications โ”€โ”€โ–บ Custom Bus โ”€โ”€โ–บ Step Functions
SaaS apps (Salesforce, etc.) โ”€โ”€โ–บ Partner Bus โ”€โ”€โ–บ SQS / SNS
โ”€โ”€โ–บ API Gateway
โ”€โ”€โ–บ ECS Task

EventBridge Rules โ€” Pattern matching on event content. Route โ€œEC2 instance state changed to terminatedโ€ to a Lambda that sends a Slack alert. Far more flexible than CloudWatch Events (which EventBridge replaced).

EventBridge Pipes โ€” Point-to-point integrations with filtering, enrichment, and transformation. Connect SQS to Lambda with filtering in between โ€” no custom code for the routing layer.

Scheduled Expressions โ€” Replace cron jobs: rate(5 minutes) or cron(0 12 * * ? *).


CloudFront โ€” Content Delivery Network

CloudFront is AWSโ€™s CDN: it caches content at 450+ edge locations globally, reducing latency for end users and reducing load on your origin.

How CloudFront Works

User (Tokyo) โ”€โ”€โ–บ CloudFront Edge (Tokyo)
โ”‚
โ”œโ”€โ”€ Cache HIT? โ”€โ”€โ–บ Return cached response (fast)
โ”‚
โ””โ”€โ”€ Cache MISS โ”€โ”€โ–บ Fetch from Origin โ”€โ”€โ–บ Cache + Return
Origins:
โ”œโ”€โ”€ S3 Bucket (static content, SPA)
โ”œโ”€โ”€ ALB (dynamic content)
โ”œโ”€โ”€ EC2 instance
โ””โ”€โ”€ Custom HTTP server (on-premises)

CloudFront Key Features

Origin Access Control (OAC) โ€” Restricts S3 bucket access so only CloudFront can read it. Replaces the older Origin Access Identity (OAI). Exam: โ€œserve S3 content only through CloudFront, block direct S3 accessโ€ โ†’ OAC.

Signed URLs and Signed Cookies โ€” Control who can access content. Signed URL for single file access (e.g., premium video download). Signed Cookies for multiple files (e.g., entire subscriber content library).

CloudFront Functions vs Lambda@Edge โ€” Both run code at edge locations, but differ in capability and latency:

CloudFront Functions โ€” Sub-millisecond. Viewer request/response only.
Header manipulation, URL rewrites, A/B testing.
Lambda@Edge โ€” Milliseconds. All four event types.
Dynamic content generation, authentication, complex logic.

HTTPS and SSL/TLS โ€” CloudFront provides free SSL certificates via ACM. Custom domains + HTTPS requires certificate in us-east-1 (this is tested).


Route 53 โ€” DNS and Traffic Routing

Route 53 is AWSโ€™s DNS service and can do sophisticated traffic routing based on health, geography, latency, and weight.

Routing Policies

Simple โ€” One record, no health checks.
Weighted โ€” Split traffic by percentage. A/B testing, blue/green.
Latency-Based โ€” Route to Region with lowest latency to user.
Geolocation โ€” Route based on user's country or continent.
Geoproximity โ€” Route based on geographic location + bias factor (requires Traffic Flow).
Failover โ€” Primary/secondary. Routes to secondary if primary health check fails.
Multi-Value โ€” Returns multiple healthy IPs. Not a substitute for ELB.
IP-Based โ€” Route based on client's CIDR block. New in 2023.

Health Checks โ€” Route 53 monitors endpoints and can trigger failover routing. Three types: endpoint, calculated (aggregates other health checks), and CloudWatch alarm.

Alias Records โ€” Like a CNAME but free of charge for AWS resources and works at the zone apex (e.g., example.com without www). Always use Alias over CNAME for AWS resources (ELB, CloudFront, S3 website).

Route 53 Resolver

Inbound Endpoints โ€” Allow on-premises DNS servers to query Route 53 for Private Hosted Zone records.

Outbound Endpoints โ€” Allow VPC resources to query on-premises DNS servers. Essential for hybrid architectures.


Exam Patterns

ScenarioAnswer
Decouple producer from consumer, allow retrySQS
Notify multiple services when an event occursSNS topic with SQS subscriptions
React to AWS service events (EC2 launch, S3 upload)EventBridge
Serve static website globally with HTTPSS3 + CloudFront + ACM (us-east-1)
Route users to the closest AWS regionRoute 53 Latency routing
Primary/secondary site failoverRoute 53 Failover policy + health checks
HTTP API without managing serversAPI Gateway + Lambda
Lambda cold starts must be eliminatedProvisioned Concurrency