Step 1 โ AWS Cloud Foundations
Before you touch a single EC2 instance or S3 bucket, the exam wants to know whether you understand why AWS is built the way it is. This step covers the mental model behind everything else.
What Cloud Computing Actually Means
AWS sells three things: compute, storage, and networking โ rented by the second, scaled automatically, billed only for what you use. The three service models map onto how much responsibility you keep:
IaaS (EC2, VPC) โ You manage OS, runtime, app. AWS manages hardware.PaaS (Elastic Beanstalk, RDS) โ You manage app + data. AWS manages everything else.SaaS (WorkMail, Chime) โ You just use it. AWS manages all layers.The Shared Responsibility Model is tested constantly. The clean split:
AWS RESPONSIBILITY โ YOUR RESPONSIBILITYโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโPhysical hardware โ IAM users, roles, policiesHypervisor / virtualization โ OS patching (on EC2)Network hardware โ Application codeData center facilities โ Data encryption choicesManaged service internals โ S3 bucket policies, public ACLsIf AWS manages the service end-to-end (like DynamoDB), AWS handles more. If you spin up an EC2 instance, you own the OS layer and above.
AWS Global Infrastructure (2026)
AWS runs across 34 geographic Regions, 108 Availability Zones, and 600+ Points of Presence globally. Each piece solves a different problem:
Region (us-east-1)โโโ AZ 1 (us-east-1a) โโโโ Data Center Aโ โโโโ Data Center Bโโโ AZ 2 (us-east-1b) โโโโ Data Center Cโโโ AZ 3 (us-east-1c) โโโโ Data Center D
Edge Location (New York, London, Tokyo...) โโโ CloudFront cache / Route 53 resolverRegion โ A geographic cluster of at least 2 AZs (most have 3โ4). You choose a Region when you deploy resources. Data stays in the Region unless you explicitly move it.
Availability Zone โ One or more physically separate data centers with independent power, cooling, and networking. The key word: isolated. A natural disaster that hits AZ-a wonโt take down AZ-b.
Edge Location / Point of Presence โ Used by CloudFront (CDN) and Route 53 (DNS). These are not full Regions โ they cache content closer to end users.
Local Zones โ Mini Regions that extend into metro areas (Los Angeles, Dallas, etc.) for single-digit millisecond latency to specific cities.
How to choose a Region:
- Compliance โ Does your data have to stay in a specific country?
- Latency โ Where are your users?
- Feature availability โ Not all services launch in every Region simultaneously
- Pricing โ Cost varies slightly between Regions
IAM โ Identity and Access Management
IAM is the access control system for your entire AWS account. No IAM understanding = no exam pass. The key objects:
Account Root User โโโ (never use for daily work โ lock it down with MFA)
IAM User (alice@company.com) โโโ Attached Policy: ReadOnlyAccess โโโ Member of: Developers Group
IAM Group (Developers) โโโ Attached Policy: AmazonEC2FullAccess
IAM Role (EC2-S3-Read-Role) โโโ Trust Policy: "EC2 service can assume this role" โโโ Permission Policy: "s3:GetObject on my-bucket/*"Policy types ranked by priority:
- SCPs (Service Control Policies) โ AWS Organizations level, caps max permissions
- Permission Boundaries โ Max permissions an IAM entity can ever have
- Identity-based policies โ What a user/role is allowed to do
- Resource-based policies โ Who can access this specific resource (S3 bucket policy, Lambda resource policy)
Exam rule: AWS uses explicit deny wins logic. If any policy says Deny, the request is denied regardless of other Allow statements. Default is implicit deny โ nothing is allowed unless explicitly granted.
MFA (Multi-Factor Authentication) โ Always enable it on the root account. The exam will never recommend doing anything as root. Questions about โmost secure way to allow cross-account accessโ always point to IAM Roles, not sharing credentials.
IAM Best Practices the Exam Loves
- Least privilege: grant only whatโs needed
- Use roles for EC2 instances (never hard-code keys in code)
- Use groups to manage permissions โ attach policies to groups, not individual users
- Rotate access keys regularly
- Enable MFA on privileged accounts
AWS Billing & Pricing Models
Understanding pricing isnโt just for the cost-optimization domain โ it appears in almost every architectural question because the right architecture balances cost against performance.
Pay-as-You-Go Pricing
Most services: pay per second (EC2), per request (Lambda), per GB (S3). No upfront commitment.
Reserved Instances / Savings Plans
Commit to 1 or 3 years of usage โ save 30โ70% vs on-demand.
On-Demand: $0.096/hr for m5.large (no commitment)1-yr Reserved: $0.057/hr (40% savings)3-yr Reserved: $0.038/hr (60% savings)Savings Plans: Similar discount, more flexibility across instance typesCompute Savings Plans are the 2026 preferred option โ they apply across EC2, Fargate, and Lambda automatically, unlike old RIs that were tied to a specific instance type and region.
Spot Instances
AWS sells unused capacity at up to 90% discount. The catch: AWS can reclaim with 2-minute warning. Best for fault-tolerant batch jobs, machine learning training, and stateless workloads.
AWS Free Tier
Three types:
- Always free โ Lambda 1M requests/month, DynamoDB 25 GB
- 12 months free โ EC2 t2.micro, S3 5 GB, RDS db.t2.micro
- Trials โ 60-day Redshift trial, etc.
Key Billing Tools
- Cost Explorer โ Visualize and forecast spend, identify cost drivers
- AWS Budgets โ Alert when spend exceeds thresholds
- Trusted Advisor โ Checks cost, performance, security, fault tolerance
- Billing Alarm โ CloudWatch alarm on estimated charges
The Six Pillars of the Well-Architected Framework
This framework shows up in every domain of the exam. Memorize the pillars:
| Pillar | Focus |
|---|---|
| Operational Excellence | Automate operations, learn from failure |
| Security | Protect data, systems, and assets |
| Reliability | Recover from failures automatically |
| Performance Efficiency | Use resources efficiently, adapt to demand |
| Cost Optimization | Eliminate waste, right-size resources |
| Sustainability | Minimize environmental impact |
When an exam question asks โwhich design principleโฆโ or โaccording to the Well-Architected Frameworkโฆโ, map your answer to the pillar the question is targeting.
Exam Focus: What Questions Test From This Step
- Shared responsibility boundaries (especially for managed services like RDS vs. EC2)
- Which AWS construct provides physical isolation: AZ (not region, not edge location)
- IAM role vs user vs group โ when to use each
- Explicit deny vs implicit deny
- When to use Spot vs Reserved vs On-Demand
- Root account best practices (MFA, donโt use for daily tasks)